CyberWire Daily - A reel disaster for GitHub.
Episode Date: March 17, 2025A phishing campaign targets nearly 12,000 GitHub repositories. The BlackLock ransomware group is one to watch. A federal judge orders reinstatement of workers at CISA. Over 100 car dealership websites... suffer a supply chain attack, and Hellcat breaches Jaguar Land Rover. Researchers uncover a major vulnerability affecting RSA encryption keys. A Life Insurance Company notifies 355,500 individuals of a December 2024 data breach. A researcher releases a decryptor for Akira ransomware. A new mapping database aims to help NGOs and high-risk individuals find security tools. Tim Starks from CyberScoop reports that trade groups fear a cybersecurity blackout if a key panel and vital cyber law aren’t renewed. A fundamental shift of our understanding of hash tables. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today our guest is Tim Starks from CyberScoop is discussing how "Trade groups worry information sharing will worsen without critical infrastructure panel, CISA law renewal." Selected Reading Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts (Bleeping Computer) BlackLock Ransomware Strikes Over 40 Organizations in Just Two Months (GB Hackers) Federal Judges Block Trump's Mass Firings of Federal Workers (BankInfo Security) 100 Car Dealerships Hit by Supply Chain Attack (SecurityWeek) Jaguar Land Rover Breached by HELLCAT Ransomware Group using Jira Credentials (Cyber Security News) Millions Of RSA Key Exposes Serious Flaws That Can Be Exploited (Cyber Security News) Insurer Notifying 335,500 Customers, Agents, Others of Hack (BankInfo Security) New Akira ransomware decryptor cracks encryptions keys using GPUs (Bleeping Computer) Security Database Aims to Empower Non-Profits (Infosecurity Magazine) Undergraduate Disproves 40-Year-Old Conjecture, Invents New Kind of Hash Table (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs, and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one
get one offer. Visit ubico.com slash N2K to unlock this deal. That's Y-U-B-I-C-O.
Say no to modern cyber threats. Upgrade your security today. A
fishing campaign targets nearly 12,000 GitHub repositories, the Blacklock Ransomware group
is one to watch, a federal judge orders reinstatement of workers at CISA. Over 100 car dealership websites suffer a supply chain
attack and HealthCat breaches Jaguar Land Rover. Researchers uncover a major vulnerability affecting
RSA encryption keys. A life insurance company notifies 355,000 individuals of a December
2024 data breach. A researcher releases a decrypter for Akira Rensomeware. A new mapping database aims to help NGOs and high-risk individuals find security tools.
Tim Starks from CyberScoop joins me with news that trade groups worry over renewal of a vital cyber law.
And a fundamental shift of our understanding of hash tables.
It's Monday, March 17, 2025.
I'm Dave Fittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
Happy St. Patrick's Day for those who celebrate.
It is always great to have you with us.
A phishing campaign has targeted nearly 12,000 GitHub repositories with fake security alert issues, tricking developers into authorizing
a malicious OAuth app called GitSecurityApp.
The fake alerts claim suspicious activity was detected from Iceland, urging users to
update passwords and enable two-factor authentication.
However, all links lead to an OAuth authorization page that grants attackers
full access to repositories, user profiles, discussions, and workflows. The attack, first
spotted by researcher Luke4M, is ongoing, though GitHub appears to be responding. Users
who mistakenly authorize the app should revoke access in GitHub settings, check for unexpected
GitHub actions and rotate credentials. The malicious campaign directs stolen credentials
to sites hosted on Render. Developers should remain vigilant against such phishing attempts.
The Blacklock Ransomware Group has attacked over 40 organizations in early 2025, making it one of the most active Ransomware-as-a-Service operators.
Targeting construction, real estate, IT service providers, and government agencies, the group employs fast encryption and leak sites for extortion.
Using Golang for cross-platform attacks, Blacklock leverages ChaCha20 and RSA OAEP encryption.
Emerging from the rebranded El Dorado Group, it recruits key players
known as Traffers to aid attacks. Organizations should enhance their
cybersecurity measures to combat this growing ransomware threat.
A U.S. federal judge temporarily blocked the Trump administration's effort to fire thousands
of federal employees, including over 400 from the Department of Homeland Security and 130
from the Cybersecurity and Infrastructure Security Agency, CISA.
Judge James Bredar ordered reinstatement by March 17, pending a lawsuit by 20 state attorneys
general.
Concerns over cybersecurity and national security have emerged, with experts warning that mass
layoffs weaken defenses.
The White House called the ruling's judicial overreach.
DHS contractors, like penetration tester Christopher Chenoweth, reported terminations affecting
Red Team operations.
CISA denied laying off its Red Team, stating contract changes were made for efficiency.
The Office of Personnel Management and the Department of Government Efficiency, DOGE,
have not commented on the firings.
Over 100 car dealership websites were compromised in a supply chain attack after threat actors
infected LES Automotive, a shared video service.
The attackers deployed the click-fix technique, tricking users into executing malicious commands
via fake reCAPTCHA prompts.
This method, increasingly used by cybercriminals, has spread information stealers and malware.
Security researcher Randy McCoyn found the attack distributing SectoRat via PowerShell.
The injected JavaScript contained Russian comments suggesting dynamic script manipulation.
Microsoft recently warned of similar attacks in hospitality.
Elsewhere in the automotive world, the Hellcat ransomware group
breached Jaguar Land Rover using stolen Atlassian JIRA credentials, exposing 700 internal documents
and employee data on hacking forums. The threat actor Ray claimed responsibility, while another
hacker APTS leaked an additional 350 gigabytes of sensitive data.
The stolen information includes development logs, tracking data, and proprietary source code,
raising concerns over intellectual property theft and potential targeted attacks.
Hellcat, known for exploiting JIRA vulnerabilities, has previously targeted Telefonica and Schneider Electric, experts
urge organizations to enforce multi-factor authentication and credential rotation to
prevent similar breaches.
Security researchers have uncovered a major vulnerability affecting RSA encryption keys,
with approximately one in 172 online certificates susceptible to compromise due to poor random
number generation.
Key Factor Security analyzed over 75 million RSA certificates, finding 435,000 vulnerable
due to shared prime factors, allowing attackers to break encryption using simple, greatest
common divisor calculations.
IoT devices are particularly at risk, with 50% of compromised keys
linked to a major network equipment manufacturer.
Despite warnings, many devices still use weak RSA keys,
posing threats to critical systems like medical equipment and industrial controls.
Researchers urge manufacturers to improve entropy sources
and follow cryptographic best practices to mitigate risks.
New Era Life Insurance Companies
is notifying 355,000 individuals
of a December 2024 data breach,
the largest health data breach reported
by a health plan this year.
The Texas-based insurer discovered unauthorized access between December 9 and 18 of last year,
during which sensitive personal and health data, including names, insurance IDs, and
medical details, was copied.
Some Social Security numbers were also compromised.
The company is offering free credit monitoring and enhancing
security measures. Several law firms are investigating potential class action lawsuits.
Security researcher Johannes Nugroho released a decrypter for the Linux variant of Akira
ransomware, leveraging GPUs to brute force encryption keys. Akira generates keys using time stamp based
seeds, making decryption difficult but not impossible.
Nugroho used cloud-based RTX 4090 GPUs to crack the keys in about 10 hours.
His tool, available on GitHub, allows free file recovery, though its effectiveness may vary.
Users are advised to backup encrypted files before attempting decryption,
as errors could cause data corruption.
A global nonprofit named Common Good Cyber has launched a mapping database
to help NGOs and high-risk individuals find security tools.
The database, featuring 334 public interest security services, is categorized into six
groups – Govern, Identify, Protect, Detect, Respond, and Recover.
Supported by the UK FCDO and the EU Institute for Security Studies, the initiative aims
to improve cybersecurity for over 10 million NGOs worldwide.
Cyber threats against nonprofits are rising, with 32% of charities reporting incidents in 2024.
Past attacks include breaches at Freecycle and maternal and family health services.
Common Good Cyber, founded by the Global Cyber Alliance, stresses that cybersecurity should
be accessible to all.
The UK's NCSC has also issued guidance for charities, emphasizing the sector's vulnerability
to digital threats.
Coming up after the break, Tim Starks from CyberScoop joins me with news that trade groups
worry over renewal of a vital cyber law and a fundamental shift in our understanding of
hash tables.
Stay with us. We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed, and listeners to this show will get a $75
sponsored job credit to get your jobs more visibility at
indeed.com slash cyber wire. Just go to indeed.com slash cyber wire right now and support our
show by saying you heard about indeed on this podcast indeed.com slash cyber wire terms
and conditions apply hiring indeed is all you need.
Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services
by solving complex challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment
where your ideas drive change.
With career growth opportunities and a focus on work-life balance,
you'll have the flexibility to thrive both professionally and personally.
Explore open cybersecurity and technology roles today
at Vanguardjobs.com.
It is always my pleasure to welcome back to the show,
Tim Starks, he is a senior reporter at CyberScoop.
Tim, it's great to have you back.
Yeah, it's been a minute. Hi, Dave.
It has. And speaking of being a minute, it feels like stories are coming at us a mile
a minute. You know, your beat is Washington, DC and all the goings on there. You wrote
a story recently about some trade groups who were worrying about information sharing
without some critical infrastructure, without a panel,
but also some stuff having to do with CISA.
Can you unpack that for us?
Yeah, two different things, but related.
One of the things that's happened
in the Trump administration
that some people would consider hasty.
One of a few is that they got rid
of a host of DHS advisory panels, one of which
happened to be a panel focused on critical infrastructure
protection that wasn't just advisory.
It actually had some legal authorities
that protected communications
between the government and industry sectors and industry sectors between themselves. Also
at this one particular panel, they got rid of it. And a bunch of the trade groups were
like, wait, wait, wait, wait, we need that. That's good. We, you know, there was some sympathy to say,
okay, sure, you know, you can get rid of some visor panels.
There are an awful lot of them.
Maybe if you get rid of this,
you can replace it with something else.
So there's a little bit of conciliatory,
but the gist was this is really important and we need it.
The other thing related in both of these things without,
they say, information sharing on cyber will really decline is the...
I used to call it the OG CISA, but everybody's been calling it the 2015 CISA, so I can adjust.
But it's the Cybersecurity Information Sharing Act that is expiring later this year.
And that provides even stronger legal protections
for communications, I mean, protections
against lawsuits, antitrust exemptions,
stuff that is the foundation of a lot of other information
sharing that goes on in the federal government on cyber.
And it's not clear what the path is for that bill.
But the trade groups are making the argument,
we need these things.
Otherwise we're gonna suffer.
We're not gonna be sharing as much information
between ourselves, we're not gonna be sharing
as much information with the government and vice versa.
Well, speaking of CISA,
the administration has named their nominee
for new CISA director.
I think it's nice to see that he comes to the nomination with some credentials.
Yeah, this is, you know, there's probably too many cyber-Shawns in the world between
Sean Planky, who's the pick for SESA, Sean Cairncross, who was the pick for Office of
National Cyber Director, and that OK reporter for CNN, Sean Lingus.
The idea though is that if you look at Sean Crancross, you and I discussed this nomination,
you could be concerned that he has no cyber experience, none.
Maybe he's touched it here and there, but no major cyber experience. Sean Planky has a deep resume on cyber, private sector most recently, but he's worked at the
NSC.
He's worked on cyber at Cyber Command.
He's worked in the Department of Energy.
He's worked at the Coast Guard.
I mean, he's worked at the Navy on cyber.
The guy has a lot, a lot of experience.
And if you were worried about a lot of the things that are happening in the Trump administration on cyber,
being so off the path of what we're used to,
he is someone who seems to be loyal to the Republican agenda
and the Trump agenda, but at the same time has deep credentials.
And that's a little different in some cases.
I mean, if you look at some of the other nominees,
you have people who don't understand the definitions
of the terms of the things that they're gonna be
running the agency for.
This guy's gonna know what's going on.
He's gonna understand the issues big time.
Well, I thought in light of that,
and then also we just recently saw,
I believe it was DHS said,
please don't fire cybersecurity people in your cuts.
Right?
I believe that was GAB, yeah.
That said that, DHS might have said it as well,
but I saw that OMB had said that.
Okay, okay.
Yeah, but just that message,
is this a walk back?
Is this a realization?
As the feedback is coming in
and more and more people are saying to the administration?
Hey, this is actually really important
I mean are those the kinds of things that you're hearing in the comments the folks you're talking to?
Certainly there have been some some discussions. I've had with people behind the scenes
Who are involved in all of this, we need to be really careful about
not getting rid of cyber personnel.
How much that message is going to
reverberate through the entire administration,
I do not know.
It does seem like, at least in part,
the discussions that are public now
about this have said,
we need to keep on-hand actual
cyber-operational people who are
responsible for protecting the federal government
in those agencies, that was a point of emphasis.
How much that means CISA won't suffer cuts,
CISA being more of a broader policy focused agency,
I think that's an open question.
If you look at the fact that if there's a shutdown,
that they had put out guidance saying,
hey, if there's a shutdown,
we would keep about a thousand somewhat people
from CISA on hand out of 3,500.
That maybe gives you a little indication
of how much of a part of they consider that.
I mean, I think it's actually not that far off
from the Biden administration's guidance
in terms of the actual sheer numbers.
So I think we're getting some hints
of some commitment to cybersecurity personnel, but it's a question of how much
of a commitment and how and where.
I think those are the open questions.
Yeah.
It's hard to keep up, isn't it?
Dave, no.
I can't.
Well, my heart goes out to you, Tim.
Thanks.
You too, Dave. Tim Starks, Senior Reporter at Cyberscoop.
Tim, thanks so much for taking the time for us.
Thanks to you, sir. Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes that for good.
Get one investigation platform, one bill to pay, and all the data you need in one place.
It comes with curated data and a full suite of tools to handle any digital investigation.
Connect the dots so fast, cybercriminals won't even have time to Google what Maltigo is.
See the platform in action at maltigo.com. And finally, hash tables are one of the most fundamental data structures in computing,
allowing for fast storage and retrieval of information.
They play a critical role in cybersecurity, enabling efficient
database lookups, cryptographic functions, and even firewall operations. Their efficiency
hinges on how quickly they can insert, locate, or delete data, something researchers have
studied for decades.
In 2021, Andrew Krapivin, then an undergraduate at Rutgers University, stumbled upon a paper
about tiny pointers.
He didn't think much of it at the time, but two years later, as he explored ways to make
pointers more memory-efficient, he unexpectedly discovered a new kind of hash table, one that
shattered long-held assumptions in computer science.
Without realizing it, Krapivin had disproved a 40-year-old conjecture by Turing Award winner
Andrew Yao, which stated that the worst-case time to insert or search for an item in a
nearly full hash table could never be faster than x, where x represents how close the table
is to 100% full. Krapivin's new hash table, however, achieved an exponential improvement in time complexity.
Skeptical at first, his former professor, Martin Farosh Kolton, brought in William Cosmol
from Carnegie Mellon University to validate the discovery.
They confirmed that not only had Krapivin refuted Yao's conjecture,
but he had also uncovered an even more surprising result. Some hash tables can achieve constant
time research, regardless of how full they are. This contradicted another of Yao's long-standing
assumptions.
Krapivin, now at the University of Cambridge, along with Farah Colton and Koushmawl, published
their findings in January of this year.
While practical applications remain to be seen, their work fundamentally changes how
computer scientists understand hash tables, one of the most essential tools in cybersecurity
and data storage.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music
and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here, tomorrow. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data, and ensuring your organization runs
smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.