Critical Vulnerability in Nginx UI WebServer Allow Attackers to Takeover
vulnerability was discovered in Nginx UI, a web-based management interface for the Nginx web server in march.
Continue ReadingData breach
Scanners Turn Attack Vector as TrivyScanner Hijacked via GitHub Actions Tags
Attackers Targeted SSH keys, Cloud Tokens & API secrets in CI/CD Pipelines; Highlights Securing CI/CD Pipelines
In latest vulnerability discovery Aqua Security revealed HackerBot-claw bot hijacked 75 of 76 GitHub Actions tags for its Trivy vulnerability scanner. The HackerBot-claw first distributed credential-stealing malware through the widely used security tool for the second time in a one month.
Malicious code rode alongside legitimate scans, targeting SSH keys, cloud tokens and API secrets in CI/CD pipelines. Security researcher Paul McCarty was the first to warn publicly that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.
Attack module on Trivy
When it comes to workflow it has been observed that more then 10,000 GitHub workflow files rely on trivy-action. Attackers can leverage this pipeline and pull versions during the attack window which are affected and carry sensitive credentials exfiltrated.
Attackers compromised the GitHub Action by modifying its code and retroactively updating version tags to reference a malicious commit. This permitted data used in CI/CD workflows to be printed in GitHub Actions build logs and finally leaking credentials.
A self-propagating npm worm compromised 47 packages, extending the blast radius into the broader JavaScript ecosystem.
Aqua Security disclosed in a GitHub Discussion that the incident stemmed from incomplete containment of an earlier March 1 breach involving a hackerbot-claw bot.
- Attackers swapped the entrypoint.sh in Trivy’s GitHub Actions with a 204-line script that prepended credential-stealing code before the legitimate scanner.
- Lines 4 through 105 contained the infostealer payload, while lines 106 through 204 ran Trivy as normal.
- This made difficult to detect during routine scans.
TeamPCP preserved normal scan functionality to avoid triggering CI/CD failures as detection now will require cryptographic verification of commit signatures .
For defenders, traditional CI/CD monitoring, which watches for build failures or unexpected output, can no longer catch supply-chain compromises that deliberately maintain normal behavior.
Organizations relying on Trivy or similar open-source security tools are facing attacks from the very scanners meant to protect their pipelines can become the attack vector. Only cryptographic provenance checks can distinguish legitimate releases from poisoned ones.
As per security researchers once inside a pipeline, the malicious script scanned memory regions of the GitHub Actions Runner.
Github Compromise
The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags.
Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.
Key Findings b Wiz Research
- According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers with malicious container images and GitHub releases published to users.
- The second stage extension is activated and the malicious payload checks whether the victim has credentials from cloud service providers such as GitHub, AWS, Google Cloud, and Microsoft Azure.
- When credentials if they are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).
“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer.
Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”
Conclusion: Aqua Security urged affected users to “treat all pipeline secrets as compromised and rotate immediately.”
Organizations that ran any version of trivy-action, setup-trivy, or Trivy v0.69.4 during the attack window should audit their CI/CD logs for unexpected network connections to scan.aquasecurtiy[.]org and check whether any tpcp-docs repositories were created under their GitHub accounts.
With three major tag-hijacking incidents in 12 months, Wiz security researcher Rami McCarthy recommended that organizations “pin GitHub Actions to full SHA hashes, not version tags.”
Data Breach in LexisNexis Highlight Risk of Unpatched Application
LexisNexis Confirms Data Breach that leaked 2GB data
Continue Reading
Malicious Extensions Copies Legitimate Apps; Chrome Under Spotlight
Chrome under spotlight
Continue Reading
Data Breach at SoundCloud Involves Unauthorized Access to Users Data
SoundCloud Data Breach
Continue Reading
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Continue Reading
Red Hat Hit by Data Breach exposing major sensitive data, including the NSA
Red Hat, has been allegedly been hit by a breach and this has been posted by Crimson Collective hackers group on Telegram. The cyber criminals claim they’ve snatched private GitHub repositories, which include sensitive data about approximately 800 customers’ networks.
Key points from the RedHat Breach
- Data from 28,000 internal projects at Red Hat has allegedly been stolen.
- The hacker group Crimson Collective claims to have stolen nearly 570GB of data.
- Extortion group known as Crimson Collective posted of they gaining access to over 28,000 Red Hat repositories, containing 570.2 GB in total.
- The data extracted data allegedly includes around 800 Customer Engagement Reports (CERs), exposing sensitive customer information, such as their network configurations.
- The hackers posted the claims on a Telegram channel created on September 24th, 2025. As proof, the cybercriminals provided the entire file tree, a list of allegedly stolen CERs, and some other screenshots.
- According to International Cyber Digest, these include the National Security Agency (NSA), the Department of Energy, the National Institute of Standards and Technology (NIST), IBM, Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Telefonica, other major telecoms, banks, and many other organizations.
“Source code and consulting engagement reports (CERs), if leaked, can help attackers analyze internal company infrastructure and software running on that infrastructure. This makes it significantly easier and faster to identify vulnerable attack vectors for potential attackers, “ said Aras Nazarovas, information security researcher at Cybernews.
RedHat confirmed the attack
According to the attackers, they found authentication keys, full database URIs, and other private information in the Red Hat code and CERs, which they allegedly used to gain access to downstream customer infrastructure.
On Telegram, the hacker group published a complete directory listing of stolen GitHub repositories, along with a list of customer reports from the period 2020-2025.
Red Hat has confirmed the security incident relating to its GitLab instance, but declined to comment on the attackers’ specific claims regarding the GitHub repositories and customer reports. The company emphasizes that there is no reason to believe that the security issue affects other Red Hat services or products. Red Hat says it is very confident in the integrity of its software supply chain.
The CER list includes organizations from various sectors, including major international names such as Bank of America, T-Mobile, AT&T, Fidelity, and Walmart.
Extortion Demands by Hackers
The data breach on RedHat was also an attempt to contact Red Hat and get through with extortion demands. The cybercriminals received a response asking them to submit a vulnerability report to the security team.
The ticket created by cyber criminals was reportedly forwarded repeatedly to various individuals, including employees of Red Hat’s legal and security departments.
Service Provider for Volvo NA, ‘Miljödata’ hit by Ransomware; Critical Data exposed
Third-party supplier Miljödata, for Volvo North America,hit by ransomware disclosed a data breach that exposed the personal data of its employees . The ransomware attack happened in month of August 2025. and impacted at least 25 companies. The ransomware group DataCarry claimed responsibility for the attack on Miljödata and also published allegedly stolen data on its Tor leak site.
Ransomware attacks are increasingly targeting both enterprise of all sizes across all sectors. The attack affected Scandinavian airline SAS, Boliden and included 200 Swedish municipalities. The affected systems were mostly for HR purposes that handled medical certificates, rehabilitation matters, reporting and managing work-related injuries.
The service provider of Volvo, launched an investigation into the incident with the help of cybersecurity experts, enhanced the security of its hosted environment, and is working to prevent similar security breaches in the future.
According to the data breach notification service Have I Been Pwned (HIBP), the leaked data belongs to 870,000 accounts. Exposed data includes email addresses, names, physical addresses, phone numbers, government IDs, dates of birth, and gender.
DataCarry Ransomware Group
The DataCarry ransomware group claimed responsibility for the attack on Miljödata’s Adato system, and has Miljödata’s files available for download on its dark web-based site.
Need of the hour for Enterprise security who are soft target of ransomware attack.
- Continuously monitor to detect breached credentials, leaked databases, and threat actor’s activites in near real-time before damage gas taken full control.
- Assessment on cyber attack module as soon as an attack was initiated and do proper full incident review to determine how attackers infiltrated enterprise network and how data exfiltrated and if there is any existing threat.
- Authenticate backups of data that have been stored currently and if they have been encrypted or stored offline. It is responsibility of enterprise to keep immutable backup solutions to defend against any ransomware attack that may encompass from encryption and deletion attempts by threat actors.
- Implement threat intelligence for real time alert against any external threat that gets feeder into system . Enterprise security must Include indicators of compromise (IOCs), into company’s XDR platforms for real-time alerting .
- Include phishing simulations and enforce multi-factor authentication (MFA) across all access points.
While Volvo did not specify the exact scale of its breach, it is one of many large organizations to be caught up in the data raid. As per reports Volvo Group provided the affected individuals with 18 months of free identity protection and credit monitoring services.
Source: Volvo North America disclosed a data breach following a ransomware attack on IT provider Miljödata
𝐊𝐓 𝐓𝐞𝐥𝐞𝐜𝐨𝐦 𝐁𝐫𝐞𝐚𝐜𝐡 𝐑𝐞𝐯𝐞𝐚𝐥𝐬 𝐡𝐨𝐰 Illegal 𝐁𝐚𝐬𝐞 𝐒𝐭𝐚𝐭𝐢𝐨𝐧𝐬 Generated for 𝐇𝐚𝐜𝐤 𝐩𝐚𝐲𝐦𝐞𝐧𝐭𝐬
Imagine you come to know small payments via your mobile phone is being carried out without your knowledge & come to know that payments are directed to small base stations created by hackers linking your service providers.
Cyber criminals hacked ultra-small base stations accessed the KT communication network and intercepted traffic during an on-site inspection on the 8th sep.
The Telcom giant got hacked in a clever managed systematic way when the hacker has created a similar base station by stealing femtocells that are not used or under-managed. KT has disconnected the base station in question.
To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time. It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.
This happened when KT, the south Korean telecom provider discovered two additional illegal ultrasmall base stations, or femtocells, that were used to facilitate a large-scale micropayment scam, bringing the confirmed total to four.
The telecom giant said Thursday that the devices had leaked IMSI, IMEI and phone numbers, and that number of confirmed impacted subscribers had risen from 278 to 362 and that funds embezzled through fraudulent charges to gift cards and transit passes had reached 240 million won, or 173-thousand U.S. dollars.
Attacks on devices
KT said no additional funds have been stolen since it blocked abnormal transactions on September 5, and that all newly confirmed cases predate that date.
In this attack type personal details such as names and birth dates were not leaked via its network and that SIM authentication keys remain secure, meaning perpetrators of the data breach do not have the ability to clone impacted users’ devices.
Mitigation steps by KT
KT said it is reimbursing victims, offering free SIM card replacements and instructing customers via its website and app, as well as text message, to keep an eye out for fraudulent charges and sign up for the carrier’s SIM protection service.
To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time.
It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.
Cyber-Breach on Qantas Airliner re-echo’s Cyber Risk associated with Third Party
Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.
Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”
The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.
KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.
Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.
We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.
In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.
Last week, FBI said Scattered Spider group was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:
Key pointer of the Qantas Breach
The Cyber hacker broke into a database containing the personal information of millions of customer.
The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.
The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).
If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.
Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.
The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million).
How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large
First ensure your third party vendor’s meet the required robust security posture
Vendor risk assessment must be done holistically by streamlining due diligence
Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.
As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.
Managing Third party risk with Intru360
A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.
KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.
Prebuilt playbooks and automated response capabilities.
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
Recent Comments