A reel disaster for GitHub. - CyberWire Daily

Summary

CyberWire Daily: A Reel Disaster for GitHub Release Date: March 17, 2025
Host: Dave Bittner | Contributor: Tim Starks (Cyberscoop)

1. Massive Phishing Campaign Targets GitHub Repositories

On March 17, 2025, CyberWire Daily reported a significant phishing campaign targeting nearly 12,000 GitHub repositories. The malicious operations involved fake security alert issues designed to deceive developers into authorizing a rogue OAuth application named "Git Security App".

Mechanism of Attack:
- Fake Security Alerts: The phishing messages falsely claimed that suspicious activities were detected from Iceland, urging users to update passwords and enable two-factor authentication.
- Malicious OAuth Authorization: All embedded links redirected users to an OAuth authorization page. Once authorized, attackers gained comprehensive access to repositories, user profiles, discussions, and workflows.
Response and Mitigation:
- Detection and Advisory: The campaign was first identified by researcher Luke4M. GitHub is actively responding to the threat.
- User Actions: Affected users are advised to revoke access to the malicious app via GitHub settings, inspect for unexpected GitHub actions, and rotate their credentials.
Notable Insight:
- "Developers should remain vigilant against such phishing attempts," emphasized Dave Bittner ([00:02]).

2. BlackLock Ransomware Group Escalates Attacks

The BlackLock Ransomware Group has emerged as one of the most active ransomware-as-a-service (RaaS) operators in early 2025, targeting over 40 organizations across various sectors including construction, real estate, IT services, and government agencies.

Tactics and Techniques:
- Fast Encryption: Utilizing Golang for cross-platform attacks, BlackLock employs swift encryption methods.
- Extortion Methods: The group uses ChaCha20 and RSA OAEP encryption, leveraging leak sites to pressure victims into paying ransoms.
- Recruitment: BlackLock recruits key players, known as "traffers," to facilitate and execute attacks.
Impact and Recommendations:
- The group's activities, rooted in the rebranded Eldorado Group, underscore the need for enhanced cybersecurity measures.
- Experts advise organizations to bolster their defenses against such sophisticated ransomware threats.

3. Federal Judge Orders Reinstatement of CISA Employees

A pivotal legal development occurred when Judge James Breidar temporarily blocked the Trump administration's attempt to terminate thousands of federal employees, including over 400 from the Department of Homeland Security (DHS) and 130 from the Cybersecurity and Infrastructure Security Agency (CISA).

Legal Context:
- The judge's order mandates the reinstatement of employees by March 17, amidst a lawsuit filed by 20 state attorneys general.
Concerns Raised:
- Cybersecurity Implications: Experts caution that mass layoffs could severely weaken national cybersecurity defenses.
- Official Responses:
  - White House: Labelled the rulings as judicial overreach.
  - CISA: Denied layoffs of its Red Team, attributing changes to contract modifications for efficiency.
Notable Discussion:
- During the episode, Tim Starks highlighted the importance of retaining cybersecurity personnel, stating, "We need to keep on hand actual cyber operational people who are responsible for protecting the federal government in those agencies" ([18:17]).

4. Supply Chain Attack Compromises Car Dealership Websites

Over 100 car dealership websites fell victim to a sophisticated supply chain attack targeting LES Automotive, a shared video service provider.

Attack Details:
- Click Fix Technique: Users were deceived into executing malicious commands via fake reCAPTCHA prompts.
- Malware Distribution: The attack deployed Secto Rat via PowerShell, with injected JavaScript containing Russian comments indicative of dynamic script manipulation.
Broader Implications:
- Industry Impact: Microsoft has issued warnings about similar attacks within the hospitality sector.
- Prevention Strategies: Security researchers, including Randy McCoyne, advise enforcing multi-factor authentication and regular credential rotations.

5. Critical Vulnerability Discovered in RSA Encryption Keys

Researchers uncovered a significant vulnerability affecting RSA encryption keys, revealing that approximately 1 in 172 online certificates are susceptible to compromise due to inadequate random number generation.

Findings:
- Shared Prime Factors: Over 75 million RSA certificates were analyzed, with 435,000 deemed vulnerable as shared prime factors could be exploited using basic greatest common divisor (GCD) calculations.
- At-Risk Devices: IoT devices are particularly vulnerable, with 50% of compromised keys linked to a major network equipment manufacturer.
Recommendations:
- Manufacturers must enhance entropy sources and adhere to cryptographic best practices to mitigate these risks.
- Critical Systems Vulnerability: Weak RSA keys pose threats to essential systems like medical equipment and industrial controls.

6. New Era Life Insurance Data Breach Affects 355,000 Individuals

New Era Life Insurance Company disclosed a data breach affecting 355,000 individuals in December 2024, marking the largest health data breach reported by a health plan this year.

Breach Details:
- Unauthorized Access Period: Between December 9th and 18th, last year.
- Compromised Data: Included sensitive personal and health information such as names, insurance IDs, medical details, and some Social Security numbers.
Response Measures:
- Support Offered: The company is providing free credit monitoring and is in the process of enhancing its security infrastructure.
- Legal Actions: Multiple law firms are investigating potential class action lawsuits against the insurer.

7. Decryptor Released for Akira Ransomware

Security researcher Johannes Nugroho has developed and released a decryptor for the Linux variant of Akira ransomware, utilizing GPUs to brute-force encryption keys.

Technical Breakdown:
- Encryption Key Generation: Akira employs timestamp-based seeds, complicating decryption efforts.
- Decryptor Efficiency: Nugroho leveraged cloud-based RTX 4090 GPUs to crack the keys within approximately 10 hours.
- Availability: The decryptor tool is accessible on GitHub, enabling free file recovery, though effectiveness may vary.
User Advisory:
- Users are strongly recommended to back up encrypted files before attempting decryption to avoid potential data corruption.

8. New Mapping Database Launched to Aid NGOs and High-Risk Individuals

Common Good Cyber, a global nonprofit, has unveiled a mapping database designed to assist NGOs and high-risk individuals in identifying appropriate security tools.

Database Features:
- Content: Lists 334 Public Interest Security Services, categorized under six primary domains: Govern, Identify, Protect, Detect, Respond, and Recover.
- Support and Backing: Funded by the UK Foreign, Commonwealth & Development Office (FCDO) and the EU Institute for Security Studies.
Objective:
- Aimed at enhancing cybersecurity for over 10 million NGOs worldwide, the initiative addresses the rising cyber threats against nonprofits, with 32% of charities reporting incidents in 2024.
Expert Commentary:
- Common Good Cyber emphasizes the necessity of making cybersecurity accessible to all, supported by the UK's National Cyber Security Centre (NCSC) guidance highlighting the sector's vulnerability to digital threats.

9. In-Depth Discussion with Tim Starks on Cyber Policy and CISA

In an insightful segment, host Dave Bittner converses with Tim Starks, a senior reporter at Cyberscoop, regarding concerns among trade groups over the renewal of critical cyber laws and the future direction of the Cybersecurity and Infrastructure Security Agency (CISA).

Key Topics Discussed:
- DHS Advisory Panels: The Trump administration's elimination of several DHS advisory panels, including one focused on critical infrastructure protection, has raised alarm among trade groups. These panels previously held legal authority to safeguard communications between the government and industry sectors.
- Cybersecurity Information Sharing Act (CISA):
  - The 2015 Cybersecurity Information Sharing Act is nearing expiration, posing threats to information sharing between the government and private sectors.
  - *"If you were to say, 'We need these things, otherwise we're not going to be sharing as much information between ourselves,'" * Tim emphasized ([14:18]).
- Nomination of CISA Director:
  - Discussion around the Trump administration's nominee for CISA director, Sean Planke, who brings extensive cybersecurity experience from both the private sector and government roles, contrasting with other nominees lacking in-depth cyber expertise.
  - Tim noted, "If you were worried about the administration's cyber direction, he [Planke] seems loyal to the Republican agenda but has deep credentials," highlighting the nominee’s balanced profile ([16:31]).
- Potential Reversals on Cyber Personnel Cuts:
  - The conversation touched upon recent messages from the Office of Management and Budget (OMB) and possible walkbacks by the administration regarding the termination of cybersecurity personnel.
  - Tim concluded, "We're getting some hints of some commitment to cybersecurity personnel, but it's a question of how much of a commitment and where," acknowledging ongoing uncertainties ([18:38]).
Conclusion of Discussion:
- The exchange underscored the critical importance of maintaining robust cybersecurity teams within federal agencies to protect national security interests amidst administrative changes.

10. Breakthrough in Hash Table Research

In a fascinating development, recent academic research has refuted a longstanding conjecture by Turing Award winner Andrew Yao regarding hash tables.

Research Highlights:
- Discovery of a New Hash Table: Andrew Krapivin and his colleagues unveiled a novel hash table design that achieves constant time for insertions and searches, regardless of the table’s fullness.
- Impact on Computer Science: This advancement overturns Yao's conjecture, which posited that the worst-case time complexity for such operations could not be exponentially improved as the table approaches full capacity.
Collaborative Validation:
- Professor Martin Farosh Colton and William Kazmal from Carnegie Mellon University confirmed the validity of Krapivin's findings, solidifying the breakthrough's credibility.
Future Implications:
- While practical applications are still being explored, this research fundamentally redefines the efficiency paradigms for hash tables, which are integral to cybersecurity and data storage mechanisms.

Notable Quotes

Dave Bittner ([00:02]): "Developers should remain vigilant against such phishing attempts."
Tim Starks ([14:18]): "We need to keep on hand actual cyber operational people who are responsible for protecting the federal government in those agencies."
Tim Starks ([16:31]): "He [Sean Planke] seems loyal to the Republican agenda but has deep credentials."
Tim Starks ([18:38]): "We're getting some hints of some commitment to cybersecurity personnel, but it's a question of how much of a commitment and where."

Conclusion

This episode of CyberWire Daily provided a comprehensive overview of significant cybersecurity incidents and developments as of March 17, 2025. From large-scale phishing campaigns and ransomware threats to pivotal legal decisions impacting federal cybersecurity personnel, the discussions underscored the evolving landscape of cyber threats and the critical need for robust defense mechanisms. The insightful dialogue with Tim Starks shed light on the intricate interplay between government policies and cybersecurity infrastructure, highlighting ongoing challenges and the pursuit of effective information-sharing frameworks.

For further details on today's stories, visit thecyberwire.com.

Produced by Alice Carruth, Liz Stokes, and mixed by Trey Hester. Executive Producer: Jennifer Ibin. Publisher: Peter Kilpe.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. And now a brief message from our sponsor, DropZone AI. Is your SoC drowning in alerts? With legitimate threats sitting in queues for hours or even days? The latest SANS SOC survey report reveals alert fatigue and limited automation are SOC Team's greatest barriers. Drop Zone AI, recognized by Gartner as a cool vendor, directly addresses these challenges through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching context, and enabling analysts to prioritize real incidents faster. Take control of your alerts and investigations with DropZone AI. A phishing campaign targets nearly 12,000 GitHub repositories the BlackLock ransomware group is one to watch. A federal judge orders reinstatement of workers at CISA. Over 100 car dealership websites suffer a supply chain attack and Hellcat breaches. Jaguar Land Rover researchers uncover a major vulnerability affecting RSA encryption keys. A life Insurance Co. Notifies 355,000 individuals of a December 2024 data breach. A researcher releases a decryptor for Akira Ransomware. A new mapping database aims to help NGOs and high risk individuals find security tools. Tim Starks from cyberscoop joins me with news that trade groups worry over renewal of a vital cyber law and a fundamental shift of our understanding of hash tables. It's Monday, March 17, 2025. I'm Dave Pittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. Happy St Patrick's Day for those who celebrate. It is always great to have you with us. A phishing campaign has targeted nearly 12,000 GitHub repositories with fake security alert issues, tricking developers into authorizing a malicious OAuth app called Git Security App. The fake alerts claim suspicious activity was detected from Iceland, urging users to update passwords and enable two factor authentication. However, all links lead to an OAuth authorization page that grants attackers full access to repositories, user profiles, discussions and workflows. The attack, first spotted by researcher Luke4M, is ongoing, though GitHub appears to be responding. Users who mistakenly authorize the app should revoke access in GitHub settings, check for unexpected GitHub actions, and rotate credentials. The malicious campaign directs stolen credentials to sites hosted on Render. Developers should remain vigilant against such phishing attempts. The Blacklock Ransomware Group has attacked over 40 organizations in early 2025, making it one of the most active ransomware as a service operators targeting construction, real estate, IT service providers and government agencies. The group employs fast encryption and leak sites for extortion using Golang for cross platform attacks. Blacklock leverages ChaCha20 and RSA OAEP encryption emerging from the rebranded Eldorado Group. It recruits key players known as traffers to aid attacks. Organizations should enhance their cybersecurity measures to combat this growing ransomware threat. A US federal judge temporarily blocked the Trump administration's effort to fire thousands of federal employees, including over 400 from the Department of Homeland Security and 130 from the Cybersecurity and Infrastructure Security Agency. Judge James Breidar ordered reinstatement by March 17, pending a lawsuit by 20 state attorneys general. Concerns over cybersecurity and national security have emerged, with experts warning that mass layoffs weaken defenses. The White House called the rulings judicial overreach. DHS contractors like penetration tester Christopher Chenoweth reported terminations affecting Red Team operations. CISA denied laying off its Red Team, stating contract changes were made for efficiency. The Office of Personnel Management and the Department of Government Efficiency have not commented on the firings. Over 100 car dealership websites were compromised in a supply chain attack after threat actors infected LES Automotive, a shared video service. The attackers deployed the click fix technique, tricking users into executing malicious commands via fake recaptcha prompts. This method, increasingly used by cybercriminals, has spread information stealers and malware. Security researcher Randy McCoyne found the attack distributing Secto Rat via PowerShell. The injected JavaScript contained Russian comments suggesting dynamic script manipulation. Microsoft recently warned of similar attacks in hospitality. Elsewhere in the automotive world, the Hellcat ransomware group breached Jaguar Land Rover using stolen Atlassian in JJIRA credentials, exposing 700 internal documents and employee data on hacking forums. The threat actor Ray claimed responsibility, while another hacker, Apts, leaked an additional 350GB of sensitive data. The stolen information includes development logs, tracking data and proprietary source code, raising concerns over intellectual property theft and potential targeted attacks. Hellcat, known for exploiting JIRA vulnerabilities, has previously targeted Telefonica and Schneider Electric. Experts urge organizations to enforce multi factor authentication and credential rotation to prevent similar breaches. Security researchers have uncovered a major vulnerability affecting RSA encryption keys, with approximately 1 in 172 online certificates susceptible to compromise due to poor random number generation. Key Factor security analyzed over 75 million RSA certificates, finding 435,000 vulnerable due to shared prime factors allowing attackers to break encryption using simple greatest common Divisor calculations. IoT devices are particularly at risk, with 50% of compromise keys linked to a major network equipment manufacturer. Despite warnings, many devices still use weak RSA keys, posing threats to critical systems like medical equipment and industrial controls. Researchers urge manufacturers to improve entropy sources and follow cryptographic best practices to mitigate risks. New Era Life insurance companies is notifying 355,000 individuals of a December 2024 data breach, the largest health data breach reported by a health plan this year. The Texas based insurer discovered unauthorized access between December 9th and 18th of last year, during which sensitive personal and health data, including names, insurance IDs and medical details was copied. Some Social Security numbers were also compromised. The company is offering free credit monitoring and enhancing security measures. Several law firms are investigating potential class action lawsuits. Security researcher Johannes Nugroho released a decryptor for the Linux variant of Akira ransomware, leveraging GPUs to brute force encryption keys. Akira generates keys using timestamp based seeds, making decryption difficult but not impossible. Nigroho used cloud based RTX 4090 GPUs to crack the keys in about 10 hours. His tool, available on GitHub, allows free file recovery, though its effectiveness may vary. Users are advised to back up encrypted files before attempting decryption, as errors could cause data corruption. A global nonprofit named Common Good Cyber has launched a mapping database to help NGOs and high risk individuals find security tools. The database, featuring 334 Public Interest Security Services, is categorized into six Govern, Identify, Protect, Detect, Respond and Recover. Supported by the UK FCDO and the EU Institute for Security Studies, the initiative aims to improve CyberSecurity for over 10 million NGOs worldwide. Cyber threats against nonprofits are rising, with 32% of charities reporting incidents in 2024. Past attacks include breaches at free cycle and maternal and family health services. Common Good Cyber, founded by the Global Cyber alliance, stresses that cybersecurity should be accessible to all. The UK's NCSC has also issued guidance for charities emphasizing the sector's vulnerability to digital threat. Coming up after the break, Tim Starks from cyberscoop joins me with news that trade groups worry over renewal of a vital cyber law and a fundamental shift in our understanding of hash tables. Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, indeed is all you need. Stop struggling to get your job post noticed. Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored jobs on Indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, it's great to have you back.