Risky Business #784 Summary: GitHub Supply Chain Attack Steals Secrets from 23k Projects

Release Date: March 19, 2025
Host: Patrick Gray
Guest: Adam Boileau

1. GitHub Supply Chain Attack Overview

The episode kicks off with host Patrick Gray introducing Adam Boileau, who delves into a significant security breach affecting GitHub users. This supply chain attack targeted a widely-used GitHub Action called "changed files," which assists developers in identifying modified files within their repositories.

Key Details:

• Attack Method: An attacker obtained an access token from a maintainer of the "changed files" utility. They subsequently backdoored the action to scan the server's memory for sensitive credentials during build processes.
• Impact: Approximately 23,000 repositories were affected. Credentials such as passwords, tokens, and keys were exposed in build logs, which are publicly accessible for open-source projects.
• Response: GitHub is reportedly contacting repository owners to address the breach, but the widespread nature makes remediation complex.

Notable Quote:

Adam Boileau [02:29]: "Anyone who was using this utility had the memory of their build system scraped for credentials and then those credentials logged in a place that probably the attacker or indeed other people can get to, which is bad."

2. Chinese Cyber Attribution Against Taiwan

Patrick and Adam discuss recent activities by China's Ministry of State Security, which publicly attributed cyber-attacks to Taiwanese military personnel linked to an advanced persistent threat (APT) group targeting systems within China.

Key Points:

• Implications: This attribution serves as both a defensive stance and a deterrent, especially with ongoing geopolitical tensions regarding Taiwan's sovereignty.
• Analysis: The tactics reveal potential future threats, especially concerning the possibility of China attempting to annex Taiwan, which would have severe cybersecurity implications.

Notable Quote:

Patrick Gray [06:57]: "It's quite threatening because there is always the possibility that in the medium term future Taiwan will be invaded and annexed by China."

3. Crypto Exchange OKX Shutdown

The podcast covers the shutdown of OKX, a decentralized cryptocurrency exchange accused of facilitating money laundering by allowing funds from other platforms like BYBIT to flow through it.

Key Insights:

• Allegations: OKX is under scrutiny for allegedly permitting illicit activities despite claims of compliance with legal requirements.
• Industry Impact: This incident underscores the regulatory challenges within the crypto ecosystem, highlighting the need for robust compliance measures.

Notable Quote:

Adam Boileau [09:38]: "The fact that the platform makes money laundering seem to surprise absolutely no one."

4. North Korean Malicious NPM Packages

A report from Socket Security reveals that North Korean actors, attributed to the Lazarus Group, have been deploying malicious NPM packages via typo squatting. One such package imitated one previously developed by host Adam Boileau himself.

Discussion Points:

• Technique: Typo squatting involves creating packages with names similar to legitimate ones, tricking developers into downloading malicious code.
• Personal Angle: Adam reflects on the irony of North Korean actors targeting a package he authored, raising questions about the motives behind such specific attacks.

Notable Quote:

Patrick Gray [10:26]: "It's just plain old typo squatting."

5. Blackbuster Brute Force Tool Abuse

The conversation shifts to the abuse of brute force tools by threat actors, specifically referencing the Blackbuster leaks. These tools, written in PHP, have been used to target VPN devices and deploy ransomware.

Key Takeaways:

• Tool Development: The brute force tool's complexity, being developed in PHP, exemplifies the challenges faced by attackers in creating efficient malicious tools.
• Internal Conflicts: Leaked chat logs suggest infighting within the Blackbuster group, possibly due to the misuse of tools against Russian banks.

Notable Quote:

Adam Boileau [17:57]: "The brute force tool itself was written in PHP, which is like, that's kind of hard mode."

6. Ransomware Exploiting Fortinet Vulnerabilities

John Greig from The Record reports on the Mora_001 ransomware gang exploiting Fortinet vulnerabilities warned about by SISA in January. This repetition highlights ongoing security lapses despite prior alerts.

Analysis:

• Irony: The exploitation of security appliances like Fortinet devices for ransomware attacks is paradoxical and underscores the persistent vulnerabilities in essential security tools.
• Industry Response: Continuous vigilance and patching are imperative, yet attackers remain undeterred in leveraging known weaknesses.

Notable Quote:

Patrick Gray [16:40]: "It's just deeply ironic and funny in the kind of tragic way."

7. CISA Staff Firings and US Government Turmoil

The episode touches on internal turmoil within the US Cybersecurity and Infrastructure Security Agency (CISA), where numerous probationary staff members have been fired. A court has mandated their rehiring, but they have since been placed on administrative leave, contributing to organizational chaos.

Impact:

• Operational Disruption: Such instability hampers CISA's ability to effectively secure national infrastructure and respond to cyber threats.
• Broader Implications: The White House has instructed federal agencies to retain cybersecurity personnel, recognizing their critical role in national security.

Notable Quote:

Patrick Gray [21:28]: "It's so farcical. Oh, God."

8. European Push for Independent Cloud Stack

European tech leaders are advocating for the development of a European cloud stack to reduce reliance on American technology, driven by geopolitical uncertainties and regulatory challenges.

Discussion Points:

• Feasibility: While ambitious, establishing a competitive European cloud infrastructure akin to Amazon or Azure poses significant challenges.
• Economic Implications: This move could impact America's economic leadership in technology and disrupt existing tech pipelines and collaborations.

Notable Quote:

Adam Boileau [23:58]: "We've seen a call amongst European tech leadership to start working on a European cloud stack [...] it's going to be a heavy lift."

9. Signal's Cooperation with Ukrainian Law Enforcement

Ukrainian law enforcement has expressed dissatisfaction with Signal's cooperation concerning Russian cyber threats. Signal's leadership clarified that they do not have formal cooperation agreements with any government, leading to speculations about the nature of their assistance.

Key Insights:

• Unclear Boundaries: Signal's stance raises questions about the extent and form of their support for Ukrainian authorities.
• Potential Data Sharing: Possible scenarios include sharing IP addresses or other metadata, but the lack of official agreements complicates accountability and transparency.

Notable Quote:

Patrick Gray [27:23]: "We don't officially work with any government, Ukraine or otherwise. And we never stopped."

10. Telegram Founder Extradited to the USA

Pavel Durov, the founder and CEO of Telegram, has been extradited from Israel to the United States. His arrest was linked to Telegram's alleged failure to address illicit activities on its platform. Since his release, Telegram has made strides in improving content moderation, particularly concerning Child Sexual Abuse Material (CSAM).

Discussion Points:

• Moderation Efforts: Telegram's commitment to enhancing moderation reflects broader industry pressures to combat illegal content.
• Implications for Leadership: Durov's extradition serves as a cautionary tale for other social media leaders regarding compliance and cooperation with authorities.

Notable Quote:

Patrick Gray [30:10]: "He's put out a statement just saying, yeah, yay, law enforcement. I'm very happy."

11. Joe Sullivan's Legal Case

Joe Sullivan, former Chief Security Officer at Uber, has been convicted for failing to report a data breach to the Federal Trade Commission (FTC). Despite arguing that handling the breach internally was sufficient, courts ruled against him, emphasizing the legal obligations of CISOs.

Key Points:

• Legal Precedent: Sullivan's case underscores the importance of transparency and adherence to reporting protocols in the wake of data breaches.
• Community Reaction: The episode highlights concerns within the CISO community about potential overreach by the Department of Justice (DOJ), although Sullivan's actions were not deemed standard CISO practices.

Notable Quote:

Patrick Gray [32:51]: "It's time for people to stop worrying about this. Like, until you've read the details of the case and what he's alleged to have done, stop worrying that the FBI are about to come and arrest you."

12. Google Acquires Wiz for $32 Billion

In a landmark deal, Google has acquired Wiz, a cloud security firm founded in 2020, for a staggering $32 billion. This acquisition marks the largest security-related purchase to date and reflects the escalating importance of cloud security in the tech industry.

Implications:

• Market Impact: Google's acquisition consolidates its position in cloud security, potentially overshadowing competitors like Cisco and Splunk.
• Integration Concerns: Customers using Wiz's services across various platforms may face integration challenges post-acquisition.

Notable Quote:

Patrick Gray [34:22]: "How did they manage to add like $9 billion in enterprise value in that amount of time? Like how did they, like, what are they, did they hypnotize?"

13. Sponsor Segment: Zero Networks with Aaron Steinke

The episode transitions to a sponsored segment featuring Aaron Steinke from La Trobe Financial in Melbourne, Australia, discussing his experience with Zero Networks' micro-segmentation product.

Key Highlights:

• Product Efficacy: Aaron praises Zero Networks for simplifying the network segmentation process, reducing manual rule maintenance, and effectively implementing multi-factor authentication (MFA) without introducing latency.
• Legacy Integration: La Trobe Financial successfully integrated Zero Networks with their existing legacy systems, enhancing security without overhauling their entire infrastructure.
• Compliance Benefits: The solution has aided in meeting stringent audit requirements, particularly regarding MFA implementation.

Notable Quotes:

Aaron Steinke [45:07]: "With Zero Networks, there's actually a lot less hard work than there is with some of the alternatives that we have played with in the past."

Patrick Gray [46:52]: "It's funny what you were talking about, the nature of your network is like what came across was like yeah, there were a few sticky parts but that was our fault, not theirs kind of thing."

Conclusion

Risky Business #784 provides a comprehensive dive into pressing information security issues, ranging from significant supply chain attacks and geopolitical cyber tensions to groundbreaking industry acquisitions. The episode also highlights effective security solutions through its sponsor segment, offering listeners actionable insights and perspectives from insiders like Aaron Steinke.

For those navigating the complexities of information security, this episode serves as a valuable resource, encapsulating the multifaceted challenges and innovations shaping the industry today.