Devsecops

Blogs

Intruder Alert! Security Breach Leading to Data Breach

Recently 2.9 billion records of data stolen in cyber breach from National Public Data that includes Social Security numbers. Cyber experts assume that sensitive information including Social Security numbers for millions of people could be in the hands of a hacking group.

Reports suggest that after the breach occurred the data may have been released on an online marketplace or dark web.

What does this mean and how does organizations fight to save their clients and brand value?

It is a big question and something that can give restlessness to CISO’s and security teams. The results of breach remains for months and the impact too. This can result in financial losses and if hackers can have unauthorized access to online accounts or financial documents, the result is far reaching.

What it can do is first damage the brand value and result in expenses incurred from investigations.

This include legal fees for lawyers and if suit is bought by any customer or client and goes up to customer notification including compensation, fines.

Loosing brand value due to breach affects regaining the confidence of customers or partners and clients. This is long term as chance of possible loss of business opportunities and lasting reputational damage exist.

Gaining unauthorized access to a device or system leads to security breach and that leads to data breach or other malicious activity and as we know the devastating consequences for organizations at large. Now this can be defined as being over powering and surpassing all security measures that protect data or network systems of the organization including physical hardware assets.

Mostly we are accustomed with few names as

Malware: The attacker infects a system with malware that’s designed to steal sensitive data, hijack system resources.

Phishing: This technique involves a seemingly legitimate email or text or fake websites that come in surface as a scam

Physical asset: Sometimes  attackers gets involved in stealing or meddling with a piece of organizations assets if he can hold on the equipment, tool to get access in enterprise system and steal data.

Breach details of national Public Data:

The hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, reported by Bloomberg Law. The breach was believed to have happened in or around April, according to the lawsuit.

One major aspect of the breach is the data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

(Source: www.usatoday.com)

In recent years, plenty of high-profile examples of security breaches have captured public attention . One security breach that actually captured attention was the Nvidia breach in 2022.

Nvidia, a major chip manufacturer, experienced a cyberattack where up to 1TB of data was stolen, including employee credentials and proprietary information.

The impact was that Hackers demanded Nvidia remove limitations on its GPUs, and internal source code was leaked. The company had to take several security measures to mitigate further damage.

This incident proved that hackers and cybercriminals are in equal terms powerful in their methods and tactics as cyber security teams . Each hacker pushed the boundaries of what was thought possible in the cyber world and their actions have had far-reaching consequences.

They targeted financial institutions and government agencies to exposing vulnerabilities in national defense systems. These incidents have served as wake-up calls, highlighting the critical need for robust cybersecurity measures and a better understanding of digital ethics and law

Preventing security breach:

Enterprise and security teams at times may take more time to rectify or better to prevent a security breach than to resolve one after it occurs. Though not all security breaches are avoidable, applying a few tried-and-tested best practices is always on the cards.

Tips for Best practices for preventing data breaches

Data breach prevention requires a comprehensive, proactive approach and a enterprise level if ots followed its better for security measure to remain strong that are being implemented.

  • A secure coding principles in best practice strategy: Writing secure code involves following best practices such as avoiding hardcoded credentials, implementing input validation, and ensuring proper data encryption. This way organization can reduce vulnerabilities that attackers might exploit.
  • Conducting Regular security audits: Conducting penetration testing and threat modeling helps identify weaknesses in your security framework and routine security assessments to mitigate potential threats.
  • Implementing practices with DevSecOps: Embedding security into the SDLC ensures security considerations are addressed at every stage of development. By integrating application security testing and practices like shift left testing into software development workflows, organizations can identify and fix vulnerabilities early in the process.
  • Creating incident response plans: Having a clear incident response plan allows organizations to detect, contain, and mitigate security breaches more efficiently. Security teams get enough time and  can respond quickly to security incidents, minimizing damage and reducing downtime.
  • Security training for Teams : Educating development teams on cybersecurity best practices helps them recognize threats and implement secure coding practices. Security teams should stay updated on emerging threats and modern security measures.

Protect yourself with GaarudNode from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

  • Our Platform:
    • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
    • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
    • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
    • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Do connect or DM for queries

(Sources:https://www.ibm.com/think/news/national-public-data-breach-publishes-private-data-billions-us-citizens)

Security Advisory

Phishing Crusade Targeted approx 12,000 GitHub Repositories; Victims directed to “gitsecurityapp”

A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories with phony security alerts, reported BleepingComputers.

The alerts, opened as issues on the repositories, inform users of unauthorized login attempts and provide links to change their passwords, review active sessions, or set up MFA.

If a user clicks any of these links, they’ll be taken to a GitHub authorization page for an OAuth app that will grant the attacker control of the account.

The campaign is ongoing, though GitHub appears to be responding to the attacks.

Users were directed to all links within the message to a GitHub authorization page for a malicious OAuth application called “gitsecurityapp.” If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.

This consistent messaging across all affected repositories aims to create a sense of urgency and panic, prompting developers to take immediate action.

The fraudulent alert directs users to update their passwords, review active sessions, and enable two-factor authentication. However, these links lead to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp.”

Upon authorization, an access token is generated and sent to various web pages hosted on onrender.com, granting the attacker full control.

(Image courtesy: Bleeping Computers)

The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.

Pointers Developers to take key inputs from this incident.

Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories.

If those logs had been public, then the attacker would have been able to steal the secrets.

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes as per threat researchers.

Key pointers for User saftey:

  • For users who have mistakenly authorized the malicious OAuth app revoking access to suspicious OAuth apps through GitHub’s settings.
  • Affected users should review their repository workflows, check for unauthorized private gists, and rotate their credentials to prevent further damage.
  • This attack highlights the increasing threat of phishing campaigns targeting GitHub users.
  • As GitHub continues to investigate and respond, developers must remain vigilant and verify any security alerts before taking action.
  • Rotate your credentials and authorization tokens.

 Wiz suggests that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories.

If double-encoded base64 payloads are found in workflow logs, this should be taken as a confirmation their secrets were leaked.

Developers should immediately remove all references to affected actions across branches, delete workflow logs, and rotate any potentially exposed secrets.

(Sourece: Bleeping computers)

Security Advisory

High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043) 

Security Advisory

A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.

The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.

Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.

Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.

OEM Microsoft 
Severity HIGH 
CVSS 7.5  
CVEs CVE-2025-24043 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2025-24043  Microsoft Windows   High 

Technical Summary 

The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.

This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24043  WinDbg and associated .NET diagnostic packages   Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded.  Arbitrary code execution  

Remediation

  • Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions. 
  •  Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available. 
  • Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages. 
  • Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe. 
  • Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components. 

The table below outlines the affected and patched versions of the relevant packages: 

Package Name Affected Version Patched Version 
dotnet-sos < 9.0.607501 9.0.607501 
dotnet-dump < 9.0.557512 9.0.607501 
dotnet-debugger-extensions 9.0.557512 9.0.607601 

Conclusion: 

CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments. 

The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.

Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.

References: 

  • https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/ 

Scroll to top