GitHub repositories targeted, Apache Tomcat RCE exploit, BEC campaigns target Microsoft 365
In today's cyber security news...
23,000 repositories targeted in popular GitHub action
A supply chain attack on the widely used GitHub Action ‘tj-actions/changed-files’ compromised CI/CD secrets in build logs for over 23,000 repositories. Attackers hijacked a GitHub personal access token (PAT) to inject malicious code that exposed secrets in publicly accessible workflow logs, though there’s no evidence the data was exfiltrated. GitHub removed and restored the repository on March 15 after eliminating the malicious commit, but the incident raised concerns about broader supply chain risks for open-source projects. Users are recommended to rotate secrets during the attack’s time frame, review workflows, and ensure projects use a secure, tagged version of the action.
Apache Tomcat RCE exploit hits servers—no authentication required
A critical RCE vulnerability in Apache Tomcat (CVE-2025-24813) is being actively exploited, allowing attackers to hijack servers using a simple PUT request with a base64-encoded Java payload. The flaw, which requires no authentication, stems from Tomcat’s default session persistence and partial PUT support, making it easy to execute and difficult to detect. While patches have been released, a bulletin released on Wallarm warns this is just the beginning, as attackers may soon escalate tactics to deploy backdoors and modify configurations.
Microsoft 365 users targeted in new BEC campaigns
A fresh batch of malicious campaigns are exploiting Microsoft 365’s trusted infrastructure to launch phishing campaigns that bypass security controls and facilitate account takeovers. These business email compromise (BEC) campaigns target users using two different brand impersonation campaigns. The first abuses misconfigured Microsoft tenants to send fraudulent billing emails, tricking victims into calling fake support centers. While the other campaign uses malicious OAuth apps impersonating Adobe and DocuSign to steal credentials and deliver malware.
Supply chain hack hits 100+ auto dealerships
Over 100 car dealership websites were compromised by a supply chain attack, where hackers injected malicious ClickFix code through the LES Automotive video service. The attack tricked visitors into copying and executing a malicious command, ultimately infecting them with the SectopRAT remote access trojan via PowerShell. Researchers warn that ClickFix, a growing social engineering tactic, has been used for years but there has been a surge in the technique over the past several months.?
Huge thanks to our sponsor, DeleteMe
Thousands of WordPress vulnerabilities exposed
Close to 8,000 vulnerabilities were discovered in the WordPress ecosystem last year—7,966 to be exact—with the overwhelming majority (96%) affecting plugins and a smaller portion impacting themes (4%). While most of these vulnerabilities were considered low or medium severity, 43% could be exploited without authentication, and nearly half were cross-site scripting flaws. Security firm Patchstack noted that many vulnerabilities, especially in abandoned plugins, remain unpatched after public disclosure, leaving them active and exploitable on websites. The firm also noted that many plugin developers were slow to address the issues.
RansomHub and SocGholish team up?
A match made in hacker heaven? The RansomHub group has partnered with the operator of the FakeUpdates malware-as-a-service (MaaS) framework, SocGholish, to launch a multi-stage attack on U.S. government organizations, as well as the banking and consulting sectors. The attack begins with compromised websites delivering malicious SocGholish payloads, which then deploy RansomHub ransomware. While the majority of these attacks have affected the U.S. government, reports of attacks on Japan and Taiwan have also emerged.
Ransomware rebrand for Eldorado
Cybersecurity researchers have linked the BlackLock ransomware group to the notorious Eldorado, confirming that BlackLock is a rebrand of the earlier threat actor. Since resurfacing, BlackLock has executed 48 attacks in the first two months of 2025, with a focus on high-value sectors like construction and real estate. Known for its flexibility, the group uses fast encryption techniques and destructive wipers, targeting both government agencies and private industries. BlackLock has retained Eldorado’s technical foundation but improved its encryption speeds and attack strategies, quickly becoming one of the most notorious ransomware groups of the year.?
UK sees surge in social media account compromises
UK social media and email account compromises increased by 57% in 2024, with nearly £1m ($1.3m) in victim losses, according to Action Fraud. The most common tactics involved investment fraud, ticket fraud, and ‘on-platform chain hacking,’ where fraudsters impersonate victims to scam their contacts. Action Fraud and Meta have launched a campaign encouraging users to enhance security by incorporating basic cyber hygiene including using unique passwords and enabling two-factor authentication.
CZAR @ 17s and 23s | Strategic Planning in Redondo Beach MidApril
2 天前Data festival in Munich? Count me in—I’ll be the one in the back row pretending to understand AI while secretly Googling ‘What is a data pipeline?’ ????