Cyber Security Headlines – March 18, 2025

Hosted by CISO Series

Introduction

In this episode of Cyber Security Headlines, Lauren Verno delves into the most pressing cybersecurity incidents of the day, providing insightful analysis and expert commentary. From widespread supply chain attacks to sophisticated phishing campaigns, today's discussions highlight the evolving threat landscape and the critical measures organizations must adopt to safeguard their digital assets.

1. Massive Targeting of GitHub Repositories in Supply Chain Attack

Timestamp: 00:06

Lauren begins by addressing a significant supply chain attack targeting over 23,000 GitHub repositories. The breach exploited a popular GitHub Action used in CI/CD pipelines.

• Attack Details:
  Attackers compromised a GitHub personal access token, allowing them to inject malicious code into workflow logs. This exposure potentially leaked CI/CD secrets, though no evidence suggests data was exfiltrated.

• Response:
  GitHub swiftly removed and restored the affected repositories on March 15 after purging the malicious commits. However, the incident underscores the broader supply chain risks inherent in open-source projects.

• Recommendations:
  Users are advised to:

  • Rotate secrets used during the attack timeframe.
  • Review workflows for any suspicious activities.
  • Ensure projects utilize secure, tagged versions of GitHub Actions to mitigate future risks.

Notable Quote:
"This incident raises serious concerns about the supply chain vulnerabilities in open-source ecosystems," Lauren emphasizes at 00:20.

2. Apache Tomcat Remote Code Execution (RCE) Exploit

Timestamp: 02:15

A critical vulnerability in Apache Tomcat is actively exploited, allowing attackers to execute remote code without authentication.

• Vulnerability Details:
  The flaw originates from Tomcat's default session persistence and partial PUT request support. Attackers can send a simple PUT request containing a base64-encoded Java payload to hijack servers.

• Implications:
  The ease of exploitation and the lack of authentication make this a particularly dangerous vulnerability. Additionally, detecting such exploits remains challenging.

• Current Status:
  Although patches have been released, a Wall ARM bulletin warns that attackers may escalate tactics, potentially deploying backdoors and altering server configurations.

Notable Quote:
"This is just the beginning," Lauren warns at 02:45, highlighting the potential for more aggressive attack strategies.

3. New Business Email Compromise (BEC) Campaigns Targeting Microsoft 365

Timestamp: 04:30

Microsoft 365 users are facing sophisticated Business Email Compromise (BEC) campaigns that leverage trusted infrastructure to bypass security controls.

• Campaign Tactics:
  Two primary impersonation strategies are employed:

  1. Misconfigured Microsoft Tenants: Attackers send fraudulent billing emails, deceiving victims into contacting fake support centers.
  2. Malicious OAuth Apps: By impersonating reputable brands like Adobe and DocuSign, these campaigns steal user credentials and distribute malware.

• Impact:
  These tactics not only facilitate account takeovers but also undermine trust in widely used platforms like Microsoft 365.

Notable Quote:
"These campaigns are a testament to how attackers are evolving to exploit trusted services," Lauren notes at 05:10.

4. Supply Chain Attack Compromises Over 100 Auto Dealership Websites

Timestamp: 07:00

A devastating supply chain attack has affected more than 100 car dealership websites, infiltrating them via the LES automotive video service.

• Attack Mechanism:
  Hackers injected malicious ClickFix code through the video service, tricking website visitors into executing malicious commands via PowerShell, thereby installing the SEC Top RAT (Remote Access Trojan).

• Trend Insight:
  ClickFix, a social engineering tactic, has been on the rise. Researchers attribute the surge to increased sophistication and deployment in recent months.

Notable Quote:
"ClickFix has been a growing threat, but its recent surge signals a new wave of social engineering attacks," Lauren explains at 07:45.

5. Over 8,000 WordPress Vulnerabilities Discovered

Timestamp: 08:30

The WordPress ecosystem faces a significant vulnerability surge, with 7,966 vulnerabilities identified last year alone.

• Vulnerability Breakdown:

  • Plugins: 96% of vulnerabilities impact plugins, many of which are low to medium in severity.
  • Themes: A smaller portion affects themes, with nearly half being cross-site scripting (XSS) flaws.
  • Authentication: 43% of these vulnerabilities can be exploited without authentication.

• Response Challenges:
  Many vulnerabilities, particularly in abandoned plugins, remain unpatched post-disclosure. Plugin developers often lag in addressing these issues, leaving websites exposed.

Notable Quote:
"The persistence of these vulnerabilities highlights a critical need for better maintenance and oversight in the WordPress plugin ecosystem," Lauren remarks at 09:15.

6. Ransom Hub and Sock Ghoulish Collaborate on Multi-Stage Attacks

Timestamp: 10:00

A formidable alliance has formed between the Ransom Hub ransomware group and the operators of the Sock Ghoulish malware-as-a-service framework.

• Attack Strategy:
  The partnership delivers malicious Sock Ghoulish payloads through compromised websites, which subsequently deploy Ransom Hub ransomware across US Government, banking, and consulting sectors.

• Geographical Reach:
  While primarily targeting the US Government, attacks have also been reported in Japan and Taiwan.

Notable Quote:
"This collaboration represents a match made in hacker heaven, significantly amplifying the threat to critical sectors," Lauren highlights at 10:30.

7. Blacklock Ransomware Group Revealed as El Dorado Rebrand

Timestamp: 12:00

Investigations confirm that the Blacklock ransomware group is a rebranded version of the notorious El Dorado threat actor.

• Activity Overview:
  Since rebranding, Blacklock has executed 48 attacks in the first two months of 2025, focusing on high-value sectors such as construction and real estate.

• Technical Advancements:
  Blacklock has enhanced El Dorado's technical framework, improving encryption speeds and attack strategies, making them one of the year's most notorious ransomware operators.

Notable Quote:
"Blacklock's rebranding is more than cosmetic; they've significantly ramped up their operational capabilities," Lauren states at 12:30.

8. UK Experiences Surge in Social Media Account Compromises

Timestamp: 14:00

UK-based social media and email accounts saw a 57% increase in compromises in 2024, resulting in nearly £1 million ($1.3 million) in victim losses.

• Common Fraud Tactics:

  • Investment Fraud
  • Ticket Fraud
  • On-Platform Chain Hacking: Fraudsters impersonate victims to scam their contacts.

• Mitigation Efforts:
  Action Fraud and Meta have launched campaigns urging users to adopt basic cyber hygiene practices, such as using unique passwords and enabling two-factor authentication.

Notable Quote:
"Enhancing basic security measures can significantly reduce the risk of falling victim to these pervasive scams," Lauren advises at 14:30.

Conclusion

Lauren Verno wraps up the episode by emphasizing the importance of staying informed and proactive in the face of evolving cyber threats. By understanding the latest attack vectors and implementing robust security practices, individuals and organizations can better defend against the ever-changing landscape of cybersecurity challenges.

Notable Closure:
"Cybersecurity is a continuous battle," Lauren concludes at 15:00, "and staying informed is your first line of defense."

Additional Resources:

• For in-depth stories behind these headlines, visit CISOseries.com.
• Explore the new podcast, Security You Should Know, for expert insights on proving the value of cybersecurity solutions to leadership and more.

This summary captures the essential discussions and insights from the March 18, 2025, episode of Cyber Security Headlines. Stay tuned to CISO Series for daily updates on the world of information security.