Daily News Update

Daily News Update: Wednesday, March 19, 2025 (Australia/Melbourne)

Opalsec

Opalsec

5 min read
Daily News Update: Wednesday, March 19, 2025 (Australia/Melbourne)

Wiz security researchers have identified the root cause of the recent GitHub supply chain attack, linking it to a compromised GitHub Action, reviewdog/action-setup. This follows a separate attack where the CI/CD secrets of more than 23,000 projects were leaked due to a compromised GitHub Action, tj-actions/changed-files.

Tonye Jack, author of tj-actions/changed-files, stated that a stolen personal access token (PAT) was used to carry out the attack. Wiz researchers, following a lead from Adnan Khan, found that reviewdog/action-setup was compromised on March 11 and could be the source of the stolen PAT. Malicious code was injected into reviewdog/action-setup, causing CI runner memory to leak secrets into logs, likely containing the PAT for tj-actions/changed-files.

Rami McCarthy, principal security researcher at Wiz, believes the two attacks were chained deliberately to compromise a specific high-value target. The attacker likely reverted the commit in reviewdog/action-setup to hide the attack after stealing the tj-actions PAT.

"These secrets likely contained the PAT for tj-actions/changed-files, allowing the attackers to compromise the much larger repo."

The Register | "Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos"

Lazarus Group Exploits OKX to Launder Stolen Funds

The cryptocurrency exchange OKX has temporarily suspended its decentralised exchange (DeFi) aggregator services after detecting a coordinated effort by the North Korean Lazarus Group to launder funds stolen from other platforms. OKX stated that this move allows them to implement additional upgrades to prevent further misuse. The company claims the Lazarus Group's efforts were "unsuccessful".

This action follows reports that European regulators were investigating OKX's compliance with EU rules. Bybit's CEO claimed that approximately $100 million of funds stolen by North Korean hackers from Bybit were laundered through OKX. OKX criticised "targeted media attacks" questioning their integrity and operations, stating they are actively fighting against financial crime. They are working with blockchain explorers to correct incomplete labelling and rolling out systems to detect and block blockchain addresses attributed to hackers.

The FBI has urged private sector entities like OKX to block transactions associated with addresses used by these actors to launder stolen assets. The FBI acknowledged that the hackers are rapidly converting stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains, expecting these assets to be further laundered and converted to fiat currency.

"After consulting with regulators, we made the proactive decision to temporarily suspend our [decentralized exchange] aggregator services,” the company said. “This move allows us to implement additional upgrades to prevent further misuse.”

The Record | "Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds"

Unencrypted Data Transmission by DOGE Aide

A former DOGE aide violated US Treasury policy by emailing an unencrypted database containing people's private information to two Trump administration officials. This was revealed in a court document filed in connection with a lawsuit brought by New York Attorney General Letitia James and 18 other state AGs, challenging DOGE's access to the Treasury Department's Bureau of Fiscal Services (BFS).

David Ambrose, the chief security and privacy officer at the BFS, testified that then-DOGE operative Marko Elez violated Treasury rules by sending the unencrypted database without prior approval. The database included names, transaction types, and amounts of money. Although the analysis concluded the information was "low-risk" because it didn't include social security numbers or more specific identifiers, the distribution was still contrary to BFS policies.

"It was not sent encrypted, and he did not obtain prior approval of the transmission via a Form 7005, describing what will be sent and what safeguards the sender will implement to protect the information,"

The Register | "Court filing: DOGE aide broke Treasury policy by emailing unencrypted database"

WEMIX Blockchain Gaming Platform Hacked for $6.1 Million

The blockchain gaming platform WEMIX suffered a cyberattack last month, resulting in the theft of 8,654,860 WEMIX tokens, valued at approximately $6.1 million at the time. WEMIX's CEO, Kim Seok-Hwan, confirmed the incident occurred on February 28, 2025. The delay in public announcement was to protect players from additional losses.

Hackers infiltrated WEMIX after stealing authentication keys used for monitoring services of the NFT platform 'NILE.' Wemade hypothesizes that the attackers acquired the keys by breaching a shared repository where a developer had uploaded them for convenience. The hackers spent two months planning their attack before attempting fifteen withdrawals, thirteen of which were successful. The stolen WEMIX tokens were quickly laundered through cryptocurrency exchanges.

WEMIX is currently offline as all blockchain-related infrastructure is migrated to a new, more secure environment. The firm's goal is to restore the service fully on March 21, 2025.

"As soon as we identified the hack on February 28, we immediately shut down the affected server and began a detailed analysis,"

Bleeping Computer | "Blockchain gaming platform WEMIX hacked to steal $6.1 million"

Ox Thief Extortion Crew Threatens to Contact Edward Snowden

Fortra's research team report that the extortion crew Ox Thief is using "novel tactics", including threatening to contact Edward Snowden if a victim doesn't pay to protect its data. Ox Thief claims to have stolen 47 GB of "highly sensitive files" from an organisation and threatens to publish the material unless a ransom is paid.

The crew outlines potential consequences for non-payment, including jail time, fines, class-action lawsuits, negative news coverage, and incident-response costs. They also threaten to contact infosec journalist Brian Krebs, Have I Been Pwned founder Troy Hunt, the Electronic Frontier Foundation (EFF), the European Center for Digital Rights' privacy advocacy group NYOB, and Edward Snowden.

Nick Oram, senior manager at Fortra, believes Ox Thief's tactics are a new and noteworthy escalation, leveraging legal liability and media scrutiny to pressure victims into compliance. Ox Thief may be trying to address falling ransomware payment rates by employing these new tactics.

"While ransomware groups adopt a variety of tactics to increase their success, this is the first time they are outlining in painful detail threats to fast-track the legal, governmental, and press consequences associated with a breach,"

The Register | "Extortion crew threatened to inform Edward Snowden (?!) if victim didn't pay up"

Read more