Daily Brief

A targeted cyber attack on GitHub Action "tj-actions/changed-files" began with one of Coinbase's open-source projects and expanded widely, impacting 218 repositories. The attack leveraged the public CI/CD pipeline to possibly orchestrate further breaches, though the damage was contained as crucial secrets remained secure. The breach, which was identified on March 14, 2025, resulted in the leakage of DockerHub, npm, AWS credentials, and GitHub tokens. Another GitHub Action, "reviewdog/action-setup," was compromised earlier and contributed to spreading the malicious code by affecting its dependencies. Attackers employed advanced techniques to hide their activities, including using disposable email addresses and concealing their GitHub actions. So far, no evidence suggests that GitHub's own systems were compromised; the platform remains focused on overseeing and mitigating malicious activities. GitHub advises users to thoroughly review third-party GitHub Actions before incorporating them into their projects to prevent similar incidents. It's suspected that the attack's primary aim was financial gain, likely targeting cryptocurrency theft from Coinbase, a major crypto exchange platform.

Cloudflare announced it will only accept HTTPS connections for api.cloudflare.com, completely blocking all HTTP connections. The company's decision is aimed at preventing the exposure of sensitive information in cleartext during HTTP-to-HTTPS redirections. Developers using HTTP for Cloudflare API access will need to update their systems to accommodate this security enhancement. This change is critical in environments like public or shared Wi-Fi, where unencrypted connections are more susceptible to attacks. Systems, tools, and IoT devices relying on HTTP will face disruptions and require updates for continued functionality. Cloudflare's forthcoming feature will allow customers to disable HTTP traffic securely later in the year. Despite HTTPS being more secure, Cloudflare's data shows a notable percentage of internet traffic still uses HTTP, especially automated traffic. The report ends with a general security notice, revealing top security risks and defensive strategies unrelated to Cloudflare's update.

Cybercriminals are exploiting Microsoft's Trusted Signing service to code-sign malware with short-lived certificates. Malware executables signed by "Microsoft ID Verified CS EOC CA 01," with certificates valid for only three days, but remain recognized as valid beyond expiration. Signed malware can bypass security filters more easily and look legitimate, leveraging the reputation boost provided by the Extended Validation (EV) certificates. Microsoft's platform was designed to increase security by issuing short-lived certificates and withholding direct certificate issuance to developers to reduce risks of theft. High-profile malware campaigns are already utilizing these certificates, evidenced by identified samples in the Crazy Evil Traffers and Lumma Stealer campaigns. BleepingComputer reported that attackers prefer Microsoft's service due to easier access and unclear changes to the standard of EV certificates. Microsoft employs threat intelligence monitoring to detect misuse and responds by revoking abused certificates and suspending associated accounts.

The U.S. Treasury Department has lifted sanctions on Tornado Cash, a cryptocurrency mixer previously linked to North Korea's Lazarus Group. This decision followed a U.S. Fifth Circuit court ruling which found that OFAC exceeded its authority by sanctioning the service, as its smart contracts aren't considered "property" under relevant laws. More than 100 Ethereum wallet addresses associated with Tornado Cash have been removed from the Specially Designated Nationals (SDN) list. Originally sanctioned in August 2022, Tornado Cash was accused of laundering over $7.6 billion in cryptocurrency since 2019. The court stated that immutable smart contracts do not have a controlling party, complicating the application of economic sanctions. The Treasury remains focused on combating malicious uses of digital assets and preventing North Korea from financing its weapons programs. The Treasury emphasizes the potential of digital assets for innovation and the importance of securing the industry from misuse.

Researchers from Palo Alto Unit 42 and Wiz identified a GitHub Actions supply chain attack primarily targeting Coinbase. The attackers injected malicious code into the reviewdog/action-setup@v1 GitHub Action to compromise CI/CD secrets and authentication tokens. The breach allowed threat actors to steal a Personal Access Token and push a harmful commit to another GitHub Action, tj-actions/changed-files. This attack dumped more CI/CD secrets into workflow logs and targeted over 20,000 projects, although only 218 repositories were ultimately affected. Coinbase's agentkit project, which enables AI interaction with blockchains, was specifically targeted, though the attack was ultimately unsuccessful against Coinbase assets. The compromised GitHub action was used initially to target Coinbase and expanded to other projects when initial attempts failed. Coinbase confirmed the attack did not cause any damage or loss to their assets after being alerted by the Palo Alto Unit 42 team.

Oracle refutes allegations of a breach following claims by a hacker, rose87168, that they stole 6 million records from Oracle Cloud’s federated SSO login servers. Rose87168 provided evidence including text files and LDAP information purportedly from Oracle Cloud, even showing a .txt file upload to an Oracle server. The data for sale included encrypted SSO passwords and other sensitive files, with rose87168 claiming the ability to decrypt these passwords. The hacker demanded that companies pay to exclude their employees' information from the sell list, posing a targeted threat to affected enterprises. Oracle insists that no Oracle Cloud customers experienced a breach or data loss according to their investigation. The situation remains unresolved as rose87168 continues to offer the data in exchange for money or zero-day exploits, underlining the ongoing risk to the affected entities. BleepingComputer has reached out to potentially affected companies to validate the claims of stolen data; updates are pending based on these confirmations.

A new phishing campaign exploits fake Semrush Google Ads to steal Google account credentials from SEO professionals. The attackers, identified as a Brazilian threat group, focus on obtaining access to Google Ads accounts to initiate further malicious advertising activities. Malwarebytes and industry experts note this trend of cascading fraud where cybercriminals progressively shift tactics to target sensitive data indirectly through associated services. The phishing sites closely mimic legitimate Semrush services, only offering a corrupted "Log in with Google" option to harvest user credentials. Domains involved in the phishing campaign include deceptive URLs like “semrush[.]click” and “semrush-pro[.]co”, some being geographically selective in targeting. Despite discussions with Google, cybersecurity experts express concerns over the persistence of malicious Google Ads and the insufficient action by Google to address the root of such cybersecurity threats effectively. Recommendations for users include avoiding clicks on sponsored search results, using direct bookmarks for frequently visited pages, and employing password managers to ensure credentials are used on intended sites only.

Microsoft is addressing an Exchange Online bug that has caused some user emails to be wrongly flagged by anti-spam systems and quarantined. The issue, identified as critical, began nearly five hours prior to the report and is being tracked under the incident code EX1038119. This problem involves specific URLs being incorrectly categorized by Microsoft's anti-spam tools, affecting email delivery. Efforts to fix the issue by whitelisting the implicated URLs failed, leading Microsoft to attempt a manual correction of the affected messages. A separate related issue, coded EX1038200, affects access to the 'Review' page in the Email and Collaboration section of the Security portal, hindering the management of quarantined emails. Microsoft's engineers are conducting a review of diagnostic telemetry to understand and mitigate the root causes of these issues. These incidents add to a series of recent challenges for Exchange Online, including a previous false positive issue and multiple outages affecting email access and delivery.

The U.S. Treasury has removed sanctions against Tornado Cash, which was accused of laundering funds for North Korea's hacking operations. Tornado Cash is a crypto mixer implicated in multiple major cyber thefts, including the laundering of $455 million from the Ronin network hack. Sanctions were originally placed on Tornado Cash in August 2022 for laundering over $7 billion since 2019. The U.S. Justice Department has charged Tornado Cash founders with facilitating over $1 billion in laundered money. Despite lifting sanctions, the U.S. Treasury underlines a continued effort to disrupt malicious exploitation of cryptocurrency by cybercriminals like the Lazarus Group. North Korean hackers, notably the Lazarus Group, have used Tornado Cash to support the country's ballistic missile program by laundering stolen crypto assets. The removal of sanctions reflects the complex challenges and opportunities that digital assets present, emphasizing the need for securing against illicit activities.

UAT-5918, a new advanced persistent threat (APT) group, has been conducting cyber-attacks on Taiwan's critical infrastructure since at least 2023. The group uses web shells and open-source tools to establish long-term access in victim organizations for information theft and credential harvesting. Targets expand beyond critical infrastructure to include sectors such as IT, telecommunications, academia, and healthcare. UAT-5918's attack methods involve exploiting unpatched N-day security flaws to gain initial access and deploying various tools for system exploration and information gathering. Key tools used in their attacks include Fast Reverse Proxy, Neo-reGeorge, Mimikatz, LaZagne, and BrowserDataLite for creating reverse proxy tunnels and credential theft. The group also uses Chopper web shell, Crowdoor, and SparrowDoor, demonstrating tactical overlaps with other Chinese hacking groups. UAT-5918 systematically engages in data theft and continues to establish multiple points of entry into targeted organizations to secure long-term access and collect sensitive data.

Valve has removed the game 'Sniper: Phantom's Resolution' from Steam after it was found to install malware. The game's demo installer, sourced from an external GitHub repository, infected users' systems with information-stealing malware. Analysis revealed the installer contained malicious tools like a privilege escalation utility and Fiddler, used for intercepting cookies. Users reported that game assets and descriptions appeared copied from other games, raising initial suspicions. GitHub has since taken down the malicious repository upon user reports; the developer's website is also offline. Valve's previous incident involved the PirateFi game that distributed Vidar malware to up to 1,500 users. Affected users are advised to uninstall the game and conduct a full system scan to remove any remaining malicious files.

Medusa ransomware-as-a-service uses a malicious driver, ABYSSWORKER, to disable anti-malware tools via a BYOVD (Bring Your Own Vulnerable Driver) approach. ABYSSWORKER mimics a legitimate CrowdStrike Falcon driver and is packed with features targeting endpoint detection and response (EDR) systems. It is signed using likely stolen, revoked certificates from Chinese companies, allowing it to bypass security checks by appearing as a trusted entity. The malicious driver has been effective in blinding security products by removing all registered notification callbacks, a method known as EDR killing. This incident is part of a broader trend of threat actors exploiting legitimate but vulnerable kernel drivers to gain elevated privileges and disable Windows security features. Check Point has patched vulnerabilities in its driver used by ZoneAlarm antivirus after threat actors exploited it to gain full system control and exfiltrate sensitive data. The RansomHub operation is also noted for using a multi-function backdoor named Betruger, indicating a strategic development in ransomware attacks to combine multiple malicious techniques.

China-linked APT group Aquatic Panda executed a global espionage campaign named Operation FishMedley, targeting entities across six countries. The campaign ran from January to October 2022, affecting governments, NGOs, catholic charities, and think tanks in nations such as Taiwan, Hungary, Turkey, Thailand, France, and the USA. Aquatic Panda utilized a variety of malware including ShadowPad, SodaMaster, and Spyder, known to be associated with Chinese cyber operations. The group, also known as Bronze University among other names, operates under the larger umbrella of the Winnti Group (APT41) and is supported by the Chinese contractor i-Soon. The initial access vector for the attacks remains unidentified, but a variety of methods and implants including a new loader named ScatterBee and a C++ implant called RPipeCommander were employed. This campaign highlights ongoing sophisticated cyber espionage efforts by state-aligned groups, using shared and evolving malware tools.

vPenTest performed over 10,000 automated internal network penetration tests last year, exposing significant security gaps in many businesses. Businesses often rely on firewalls, endpoint protection, and SIEMs, which may not be sufficient against real-world attack scenarios. Common security vulnerabilities uncovered include weak passwords, system misconfigurations, and unpatched vulnerabilities. The analysis of findings shows that security issues are often basic, avoidable mistakes rather than sophisticated, advanced hacking techniques. The security gaps repeated across various network sizes and types, indicating ongoing vulnerabilities in systems. Regular, automated pentesting with platforms like vPenTest can help organizations identify and address vulnerabilities more efficiently than annual tests. This continuous security verification approach helps pinpoint weaknesses that could be exploited by attackers between annual audits. vPenTest offers on-demand, automated pentesting to help close security gaps and enhance defense against cyber threats.

Kaspersky identified collaboration between two threat groups, Head Mare and Twelve, targeting Russian entities using shared C2 servers and tools. Head Mare utilized a patched WinRAR vulnerability (CVE-2023-38831) for initial access, deploying malware and ransomware such as LockBit and Babuk. Twelve's operations focused on data encryption and destruction of infrastructure via publicly available tools and custom wipers. New analysis revealed Head Mare's adoption of CobInt, a backdoor linked to other attacks on Russian organizations, and a new implant named PhantomJitter for remote command execution. Additional access techniques by Head Mare included exploiting Microsoft Exchange vulnerabilities and phishing emails, often infiltrating through contractors' networks. The joint campaigns led to the use of ransomware deployment, urging victims to contact for decryption via Telegram after extensive concealment of their activities. The activity from Head Mare and Twelve indicates a broader pattern of sophisticated cyber attacks involving multiple threat actors within Russia. Related cyber activities by other groups, such as ScarCruft and Bloody Wolf, show a trend of increased and diversified threats targeting the region.