A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
SANS Stormcast Monday March 17th: Mirai Makes Mistakes; Compromised Github Action; ruby-saml vulnerability; Fake GitHub Security Alert Phishing
March 16, 2025
6:38
5.85 MB
Downloads: 0
Mirai Bot Now Incorporating Malformed DrayTek Vigor Router Exploits
One of the many versions of the Mirai botnet added some new exploit strings attempting to take advantage of an old DrayTek Vigor Router vulnerability, but they got the URL wrong.
https://isc.sans.edu/diary/Mirai%20Bot%20now%20incroporating%20%28malformed%3F%29%20DrayTek%20Vigor%20Router%20Exploits/31770
Compromised GitHub Action
The popular GitHub action tj-actions/changed-files was compromised and leaks credentials via the action logs
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
ruby-saml authentication bypass
A confusion in how to parse SAML messages between two XML parsers used by Ruby leads to an authentication bypass in saml-ruby.
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
GitHub Fake Security Alerts
Fake GitHub security alerts are used to trick package maintainers into adding OAUTH privileges to malicious apps.
https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/