GitHub repositories targeted, Apache Tomcat RCE exploit, BEC campaigns target Microsoft 365 - Cybersecurity Headlines

Summary

Cyber Security Headlines – March 18, 2025

Hosted by CISO Series

Introduction

In this episode of Cyber Security Headlines, Lauren Verno delves into the most pressing cybersecurity incidents of the day, providing insightful analysis and expert commentary. From widespread supply chain attacks to sophisticated phishing campaigns, today's discussions highlight the evolving threat landscape and the critical measures organizations must adopt to safeguard their digital assets.

1. Massive Targeting of GitHub Repositories in Supply Chain Attack

Timestamp: 00:06

Lauren begins by addressing a significant supply chain attack targeting over 23,000 GitHub repositories. The breach exploited a popular GitHub Action used in CI/CD pipelines.

Attack Details:
Attackers compromised a GitHub personal access token, allowing them to inject malicious code into workflow logs. This exposure potentially leaked CI/CD secrets, though no evidence suggests data was exfiltrated.
Response:
GitHub swiftly removed and restored the affected repositories on March 15 after purging the malicious commits. However, the incident underscores the broader supply chain risks inherent in open-source projects.
Recommendations:
Users are advised to:
- Rotate secrets used during the attack timeframe.
- Review workflows for any suspicious activities.
- Ensure projects utilize secure, tagged versions of GitHub Actions to mitigate future risks.

Notable Quote:
"This incident raises serious concerns about the supply chain vulnerabilities in open-source ecosystems," Lauren emphasizes at 00:20.

2. Apache Tomcat Remote Code Execution (RCE) Exploit

Timestamp: 02:15

A critical vulnerability in Apache Tomcat is actively exploited, allowing attackers to execute remote code without authentication.

Vulnerability Details:
The flaw originates from Tomcat's default session persistence and partial PUT request support. Attackers can send a simple PUT request containing a base64-encoded Java payload to hijack servers.
Implications:
The ease of exploitation and the lack of authentication make this a particularly dangerous vulnerability. Additionally, detecting such exploits remains challenging.
Current Status:
Although patches have been released, a Wall ARM bulletin warns that attackers may escalate tactics, potentially deploying backdoors and altering server configurations.

Notable Quote:
"This is just the beginning," Lauren warns at 02:45, highlighting the potential for more aggressive attack strategies.

3. New Business Email Compromise (BEC) Campaigns Targeting Microsoft 365

Timestamp: 04:30

Microsoft 365 users are facing sophisticated Business Email Compromise (BEC) campaigns that leverage trusted infrastructure to bypass security controls.

Campaign Tactics:
Two primary impersonation strategies are employed:
1. Misconfigured Microsoft Tenants: Attackers send fraudulent billing emails, deceiving victims into contacting fake support centers.
2. Malicious OAuth Apps: By impersonating reputable brands like Adobe and DocuSign, these campaigns steal user credentials and distribute malware.
Impact:
These tactics not only facilitate account takeovers but also undermine trust in widely used platforms like Microsoft 365.

Notable Quote:
"These campaigns are a testament to how attackers are evolving to exploit trusted services," Lauren notes at 05:10.

4. Supply Chain Attack Compromises Over 100 Auto Dealership Websites

Timestamp: 07:00

A devastating supply chain attack has affected more than 100 car dealership websites, infiltrating them via the LES automotive video service.

Attack Mechanism:
Hackers injected malicious ClickFix code through the video service, tricking website visitors into executing malicious commands via PowerShell, thereby installing the SEC Top RAT (Remote Access Trojan).
Trend Insight:
ClickFix, a social engineering tactic, has been on the rise. Researchers attribute the surge to increased sophistication and deployment in recent months.

Notable Quote:
"ClickFix has been a growing threat, but its recent surge signals a new wave of social engineering attacks," Lauren explains at 07:45.

5. Over 8,000 WordPress Vulnerabilities Discovered

Timestamp: 08:30

The WordPress ecosystem faces a significant vulnerability surge, with 7,966 vulnerabilities identified last year alone.

Vulnerability Breakdown:
- Plugins: 96% of vulnerabilities impact plugins, many of which are low to medium in severity.
- Themes: A smaller portion affects themes, with nearly half being cross-site scripting (XSS) flaws.
- Authentication: 43% of these vulnerabilities can be exploited without authentication.
Response Challenges:
Many vulnerabilities, particularly in abandoned plugins, remain unpatched post-disclosure. Plugin developers often lag in addressing these issues, leaving websites exposed.

Notable Quote:
"The persistence of these vulnerabilities highlights a critical need for better maintenance and oversight in the WordPress plugin ecosystem," Lauren remarks at 09:15.

6. Ransom Hub and Sock Ghoulish Collaborate on Multi-Stage Attacks

Timestamp: 10:00

A formidable alliance has formed between the Ransom Hub ransomware group and the operators of the Sock Ghoulish malware-as-a-service framework.

Attack Strategy:
The partnership delivers malicious Sock Ghoulish payloads through compromised websites, which subsequently deploy Ransom Hub ransomware across US Government, banking, and consulting sectors.
Geographical Reach:
While primarily targeting the US Government, attacks have also been reported in Japan and Taiwan.

Notable Quote:
"This collaboration represents a match made in hacker heaven, significantly amplifying the threat to critical sectors," Lauren highlights at 10:30.

7. Blacklock Ransomware Group Revealed as El Dorado Rebrand

Timestamp: 12:00

Investigations confirm that the Blacklock ransomware group is a rebranded version of the notorious El Dorado threat actor.

Activity Overview:
Since rebranding, Blacklock has executed 48 attacks in the first two months of 2025, focusing on high-value sectors such as construction and real estate.
Technical Advancements:
Blacklock has enhanced El Dorado's technical framework, improving encryption speeds and attack strategies, making them one of the year's most notorious ransomware operators.

Notable Quote:
"Blacklock's rebranding is more than cosmetic; they've significantly ramped up their operational capabilities," Lauren states at 12:30.

8. UK Experiences Surge in Social Media Account Compromises

Timestamp: 14:00

UK-based social media and email accounts saw a 57% increase in compromises in 2024, resulting in nearly £1 million ($1.3 million) in victim losses.

Common Fraud Tactics:
- Investment Fraud
- Ticket Fraud
- On-Platform Chain Hacking: Fraudsters impersonate victims to scam their contacts.
Mitigation Efforts:
Action Fraud and Meta have launched campaigns urging users to adopt basic cyber hygiene practices, such as using unique passwords and enabling two-factor authentication.

Notable Quote:
"Enhancing basic security measures can significantly reduce the risk of falling victim to these pervasive scams," Lauren advises at 14:30.

Conclusion

Lauren Verno wraps up the episode by emphasizing the importance of staying informed and proactive in the face of evolving cyber threats. By understanding the latest attack vectors and implementing robust security practices, individuals and organizations can better defend against the ever-changing landscape of cybersecurity challenges.

Notable Closure:
"Cybersecurity is a continuous battle," Lauren concludes at 15:00, "and staying informed is your first line of defense."

Additional Resources:

For in-depth stories behind these headlines, visit CISOseries.com.
Explore the new podcast, Security You Should Know, for expert insights on proving the value of cybersecurity solutions to leadership and more.

This summary captures the essential discussions and insights from the March 18, 2025, episode of Cyber Security Headlines. Stay tuned to CISO Series for daily updates on the world of information security.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Tuesday, March 18, 2025. I'm Lauren Verno 23,000 repositories targeted in popular GitHub action A supply chain attack on the widely used GitHub action compromised CP CI CD secrets in build logs for over 23,000 repositories. Attackers hijacked a GitHub personal access token to inject malicious code that exposed secrets in publicly accessible workflow logs, though there's no evidence the data was exfiltrated. GitHub removed and restored the repository on March 15 after eliminating the malicious commitment, but the incident raised concerns about broader supply chain risk for open source projects. Now users are recommended to rotate secrets during the attack's timeframe, review workflows, and ensure projects use a secure tagged version of the action. Apache Tomcat RCE exploit hits servers, no authentication Required A critical RCE vulnerability in Apache Tomcat is being actively exploited, allowing attackers to hijack servers using a simple put request with a base 64 encoded Java payload. Now the flaw, which requires no authentication, stems from Tomcat's default session persistence and partial put support, making it easy to execute and difficult to detect. Now while patches have been released, a bulletin release on Wall ARM warns this is just the beginning as attackers may soon escalate tactics to deploy backdoors and modify configurations. Microsoft 365 users targeted in New BEC Campaigns A fresh batch of malicious Campaigns are exploiting Microsoft 365's trusted infrastructure to launch phishing campaigns that bypass security controls and facilitate account takeovers. These business email compromise campaigns target users using two different brand impersonation campaigns. Now the first abuses misconfigured Microsoft tenants to send fraudulent billing emails, tricking victims into calling fake support centers. Now the other campaign uses malicious OAuth apps, impersonating Adobe and DocuSign to steal credentials and deliver malware. Supply chain attack hits 100 plus auto dealerships over a hundred car dealership websites were compromised by a supply chain attack where hackers injected malicious click fix code through the LES automotive video service. The attack tricked visitors into copying and executing a malicious command, ultimately infecting them with the SEC Top RAT Remote access Trojan via PowerShell. Researchers warn that ClickFix, a growing social engineering tactic, has been used for years, but there has been a surge in the technique over the past several months thanks to today's episode sponsor, Delete Me. Data brokers bypass online safety measures to sell your name, address and Social Security numbers to scammers. Deleteme Delete scours the web to find and remove your private information before it gets into the wrong hands by scanning for exposed information and completing opt outs and removals. With over 100 million personal listings removed, Deleteme is your trusted privacy solution for online safety. Get 20% off your delete me plan when you go to JoinDeleteMe.com CISO and use the promo code CISO at checkout. The only way to get 20% off is to go to JoinDeleteMe.com CISO and enter the code CISO. And by the way, the CISO series just launched a new podcast, Security. You should know we've got more details at the end of the episode. Thousands of WordPress vulnerabilities exposed Close to 8,000 vulnerabilities were discovered in the WordPress ecosystem last year, 7,966 to be exact, with the overwhelming majority 96% affecting plugins and a much smaller portion impacting themes. While most of these vulnerabilities were considered low or medium severity, 43% could be exploited without authentication and nearly half were cross site scripting flaws. Security firm patchstack noted that many vulnerabilities, especially in abandoned plugins, remain on patch after public disclosure, leaving them active and exploitable on websites. The firm also noted that many plugin developers were slow to address the issues. Ransom Hub and Sock Ghoulish team up A match made in hacker heaven the Ransom Hub group has partnered with the operator of the fake Updates malware as a service framework, Sock Ghoulish, to launch a multi stage attack on US Government organizations as well as the banking and consulting sectors. Now the attack begins with compromised websites delivering malicious Sock Ghoulish payloads which then deploy Ransom Hub ransomware. While the majority of these attacks have affected the US Government, reports of attacks on Japan and Taiwan have also emerged. Ransomware rebrand for El Dorado Researchers have linked the Blacklock ransomware group to the notorious El Dorado, confirming that Blacklock is a rebrand of the earlier threat actor. Since resurfacing, Blacklock has executed 48 attacks in the first two months of 2025, with a focus on high value sectors like construction and real estate. Known for its flexibility, the group uses fast encryption techniques and destructive wipers targeting both government agencies and private industries. Blacklock has retained El Dorado's technical foundation but improved its encryption speeds and attack strategies, quickly becoming one of the most notorious ransomware groups of the year. UK sees surge in social media account compromises UK social media and email account compromises increased by 57% in 2024, with nearly £1 million, or $1.3 million in victim losses. That's according to Action Fraud. The most common tactics involved investment fraud, ticket fraud and on platform chain hacking, where fraudsters impersonate victims to scam their contacts. Action Fraud and Meta have launched a campaign encouraging users to enhance security by incorporating basic cyber hygiene, including using unique passwords and enabling two factor authentication. As a security practitioner, you want to learn about new cybersecurity solutions on the market, but you don't want to get immediately sucked into the sales funnel. That's why we designed Security youy should know. In 15 minutes, you get answers about how to prove the value of a specific vendor solution to company leadership, get pricing info, and get answers to a bevy of questions posed by our security expert guest. Check it out now. @ciso series.com I'm Lauren Vernow reporting for the CISO Series.