Red Hat Consulting Breach 2024: Crimson Collective Launches Major Supply Chain Attack
Executive Summary
In April 2024, the Crimson Collective, in collaboration with elements of the Lapsus$ group, executed a supply chain attack targeting Red Hat Consulting by breaching its GitLab instance. The attackers gained unauthorized access through credential compromise and lateral movement across internal infrastructure, successfully exfiltrating sensitive source code and internal communications. The breach, which remained undetected for several days, raised concerns over east-west traffic security, lack of segmentation, and insufficient anomaly detection within Red Hat Consulting’s cloud development supply chain.
This incident highlights the increasing prevalence of supply chain attacks leveraging lateral movement and sophisticated alliance between threat groups. Its relevance is underscored by renewed regulatory scrutiny, the growing risk posed by collaborative cybercriminal operations, and heightened demand for zero trust architecture and cloud-native threat mitigation strategies.
Why This Matters Now
Supply chain attacks are escalating, threatening not only targeted organizations but their entire ecosystems. The Red Hat Consulting breach exemplifies how gaps in cloud visibility, segmentation, and credential management can expose critical business processes to advanced, multi-actor threats. Addressing these vulnerabilities is urgent as attackers continue to refine their tactics and target trusted software platforms.
Attack Path Analysis
Attackers from Crimson Collective and Scattered Lapsus$ gained initial access via a compromised supply chain provider, breaching a Red Hat Consulting GitLab instance. They likely escalated privileges through exploitation of inadequate segmentation and cloud misconfigurations. Once inside, the threat actors moved laterally between cloud workloads and regions, seeking valuable resources. They established command and control by leveraging covert outbound channels and remote tooling. Data was exfiltrated using encrypted channels or outbound egress paths, followed by impact activities including possible ransomware deployment, system disruption, or destruction of backups.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained access via a supply chain breach, compromising the GitLab instance linked to Red Hat through trusted relationships.
Related CVEs
CVE-2021-22205
CVSS 10An improper validation of user-provided images in GitLab CE/EE allows an unauthenticated remote attacker to execute arbitrary code.
Affected Products:
GitLab GitLab CE/EE – <= 13.10.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Server Software Component: Web Shell
Valid Accounts
Modify Authentication Process: Domain Controller Authentication
Data from Local System
Exfiltration Over C2 Channel
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Configuration Management
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 6
CISA ZTMM 2.0 – Asset Management - Continuous Inventory
Control ID: 6.1.1
NIS2 Directive – Supply Chain Security
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Red Hat GitLab breach exposes software supply chains to Crimson Collective attacks, requiring enhanced zero trust segmentation and threat detection capabilities.
Information Technology/IT
IT consulting firms face elevated risks from sophisticated threat actors targeting development infrastructure, necessitating comprehensive east-west traffic security measures.
Computer/Network Security
Cybersecurity vendors must strengthen their own defenses against supply chain attacks while implementing multicloud visibility and inline IPS protection.
Management Consulting
Consulting organizations require robust egress security and encrypted traffic solutions to protect client data from advanced persistent threat groups.
Sources
- Red Hat Hackers Team Up With Scattered Lapsus$ Huntershttps://www.darkreading.com/threat-intelligence/red-hat-hackers-team-up-scattered-lapsus-huntersVerified
- Red Hat confirms major data breach after hackers claim mega haulhttps://www.techradar.com/pro/security/red-hat-confirms-major-data-breach-after-hackers-claim-mega-haulVerified
- Red Hat Says It’s Remediating GitLab Security ‘Incident’ At Consulting Armhttps://www.crn.com/news/security/2025/red-hat-says-it-s-remediating-gitlab-security-incident-at-consulting-armVerified
- Red Hat fesses up to GitLab breach after attackers braghttps://www.theregister.com/2025/10/03/red_hat_gitlab_breach/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strong egress control, encrypted traffic policies, and real-time threat detection would have detected, limited, or prevented each major attack phase. CNSF-aligned controls constrain lateral movement, prevent unauthorized data flows, and block covert C2/exfiltration, thereby reducing blast radius.
Control: Zero Trust Segmentation
Mitigation: Unauthorized access from compromised supply chain paths is denied or contained.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation attempts are blocked across segmented workloads.
Control: East-West Traffic Security
Mitigation: Lateral movement is detected and limited by flow monitoring and policy enforcement.
Control: Egress Security & Policy Enforcement
Mitigation: Covert C2 channels and unauthorized outbound traffic are detected and blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Unapproved data exfiltration is detected and stopped via encrypted traffic enforcement.
Ransomware and destructive activities are rapidly detected and contained.
Impact at a Glance
Affected Business Functions
- Consulting Services
- Customer Support
Estimated downtime: 7 days
Estimated loss: $5,000,000
The breach exposed approximately 800 Customer Engagement Reports containing sensitive infrastructure details, authentication credentials, and network configurations for major enterprises and government organizations worldwide.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity-based Zero Trust segmentation to block unauthorized supply chain access and lateral movement.
- • Deploy robust egress filtering and encrypted traffic controls to eliminate covert C2 and unauthorized data exfiltration.
- • Implement east-west traffic visibility with workload-level policy enforcement for early attack detection and response.
- • Integrate real-time threat detection and anomaly response to identify ransomware and privilege escalation techniques swiftly.
- • Continuously review and limit privileges on sensitive cloud workloads, reducing the blast radius of potential supply chain compromises.
