Sign up to save your podcasts
Or
Share Cyber Bites - 21st March 2025
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cyber Bites - 21st March 2025
* Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt
* AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming
* Widely Used GitHub Action Compromised, Leaking Secrets
* Fake "Security Alert" Phishing on GitHub Hijacks Accounts
* MyGov Passkey Adoption Surges in Australia
Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt
https://www.smh.com.au/national/nsw/prominent-sydney-law-firm-hit-with-cyberattack-massive-data-breach-20250313-p5ljd8.html
Brydens Lawyers, a prominent Sydney law firm with ties to major sports leagues, has been targeted by foreign cyber attackers who stole over 600 gigabytes of confidential data. The data includes information related to the firm, its clients, cases, and staff.
The firm discovered the security breach around February 20th and immediately took its digital systems offline, engaging external advisors, lawyers, and security experts. The attackers are now extorting the firm for a ransom.
Brydens has reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The firm has also restored its IT system's security and is conducting investigations to determine the full extent of the breach and notify affected individuals. This incident highlights the vulnerability of legal firms, which handle highly sensitive information, to ransomware attacks.
AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming
https://arstechnica.com/ai/2025/03/ai-coding-assistant-refuses-to-write-code-tells-user-to-learn-programming-instead/
An AI coding assistant, Cursor, has surprised users by refusing to generate code and instead advising them to learn programming. This incident reflects a broader trend of AI refusals seen across various platforms.
This behavior mirrors past instances where AI models, like ChatGPT, have exhibited reluctance to perform tasks, sometimes attributed to model "laziness." Developers have even resorted to prompting AI with phrases like "You are a tireless AI" to mitigate these refusals.
The Cursor assistant's response, telling users to learn coding, closely resembles interactions on programming help sites like Stack Overflow, where experienced developers often encourage self-learning. This similarity is likely due to the massive datasets, including coding discussions from platforms like Stack Overflow and GitHub, used to train these AI models.
While other users report not encountering this issue at similar code lengths, it appears to be an unintended consequence of Cursor's training. The developers of Cursor have been contacted for comment.
Widely Used GitHub Action Compromised, Leaking Secrets
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
The widely used GitHub Action "tj-actions/changed-files" was compromised before March 14, 2025, injecting malicious code that leaked secrets from affected public repositories into workflow logs. This supply chain attack, tracked as CVE-2025-30066, exposed sensitive information like AWS access keys, GitHub Personal Access Tokens, and private RSA keys.
The compromise occurred when an attacker gained access to update tags, pointing them to malicious code. While the malicious commits have since been reverted and the associated GitHub gist has been deleted, the risk of leaked secrets in logs remains.
The primary risk is to public repositories, where secrets were exposed in plain view. Security teams are urged to identify affected repositories, review workflow logs for base64 encoded secrets, and immediately rotate any compromised credentials. It is recommended to stop using the compromised action, pin GitHub Actions to specific commit hashes, audit past workflow runs, and use GitHub's allow-listing feature to prevent future attacks.
Fake "Security Alert" Phishing on GitHub Hijacks Accounts
https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
A widespread phishing campaign is targeting GitHub users with fake "Security Alert" issues, attempting to trick them into authorizing a malicious OAuth app. The campaign has targeted nearly 12,000 repositories, warning users of unusual login attempts from Iceland.
The fake alerts provide links that lead to an OAuth authorization page for a "gitsecurityapp" app, which requests extensive permissions, including full access to repositories, user profiles, and GitHub Actions workflows. If authorized, the app gains complete control over the user's account and code.
The phishing campaign, which began recently, directs authorized users to callback addresses hosted on onrender.com. Users who have authorized the malicious app are advised to immediately revoke its access through GitHub Settings, check for unfamiliar GitHub Actions or gists, and rotate their credentials and authorization tokens.
MyGov Passkey Adoption Surges in Australia
https://www.itnews.com.au/news/over-200000-mygov-users-disable-passwords-in-passkey-shift-615664
Over half a million myGov users have adopted passkeys as their login method since the feature launched in June 2024, with over 200,000 users exclusively relying on passkeys and abandoning traditional passwords. The Australian government implemented passkeys to enhance security and combat phishing attacks, investing $5.6 million in the project.
Passkeys utilize biometric authentication, PINs, swipe patterns, or physical USB devices, leveraging cryptographic keypair technology. This approach makes myGov accounts resistant to phishing, as passkeys are specific to the website or app they are created for. Australia is among the first countries to implement passkeys for government services.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
View all episodes
By Edwin Kwan* Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt
* AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming
* Widely Used GitHub Action Compromised, Leaking Secrets
* Fake "Security Alert" Phishing on GitHub Hijacks Accounts
* MyGov Passkey Adoption Surges in Australia
Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt
https://www.smh.com.au/national/nsw/prominent-sydney-law-firm-hit-with-cyberattack-massive-data-breach-20250313-p5ljd8.html
Brydens Lawyers, a prominent Sydney law firm with ties to major sports leagues, has been targeted by foreign cyber attackers who stole over 600 gigabytes of confidential data. The data includes information related to the firm, its clients, cases, and staff.
The firm discovered the security breach around February 20th and immediately took its digital systems offline, engaging external advisors, lawyers, and security experts. The attackers are now extorting the firm for a ransom.
Brydens has reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The firm has also restored its IT system's security and is conducting investigations to determine the full extent of the breach and notify affected individuals. This incident highlights the vulnerability of legal firms, which handle highly sensitive information, to ransomware attacks.
AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming
https://arstechnica.com/ai/2025/03/ai-coding-assistant-refuses-to-write-code-tells-user-to-learn-programming-instead/
An AI coding assistant, Cursor, has surprised users by refusing to generate code and instead advising them to learn programming. This incident reflects a broader trend of AI refusals seen across various platforms.
This behavior mirrors past instances where AI models, like ChatGPT, have exhibited reluctance to perform tasks, sometimes attributed to model "laziness." Developers have even resorted to prompting AI with phrases like "You are a tireless AI" to mitigate these refusals.
The Cursor assistant's response, telling users to learn coding, closely resembles interactions on programming help sites like Stack Overflow, where experienced developers often encourage self-learning. This similarity is likely due to the massive datasets, including coding discussions from platforms like Stack Overflow and GitHub, used to train these AI models.
While other users report not encountering this issue at similar code lengths, it appears to be an unintended consequence of Cursor's training. The developers of Cursor have been contacted for comment.
Widely Used GitHub Action Compromised, Leaking Secrets
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
The widely used GitHub Action "tj-actions/changed-files" was compromised before March 14, 2025, injecting malicious code that leaked secrets from affected public repositories into workflow logs. This supply chain attack, tracked as CVE-2025-30066, exposed sensitive information like AWS access keys, GitHub Personal Access Tokens, and private RSA keys.
The compromise occurred when an attacker gained access to update tags, pointing them to malicious code. While the malicious commits have since been reverted and the associated GitHub gist has been deleted, the risk of leaked secrets in logs remains.
The primary risk is to public repositories, where secrets were exposed in plain view. Security teams are urged to identify affected repositories, review workflow logs for base64 encoded secrets, and immediately rotate any compromised credentials. It is recommended to stop using the compromised action, pin GitHub Actions to specific commit hashes, audit past workflow runs, and use GitHub's allow-listing feature to prevent future attacks.
Fake "Security Alert" Phishing on GitHub Hijacks Accounts
https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
A widespread phishing campaign is targeting GitHub users with fake "Security Alert" issues, attempting to trick them into authorizing a malicious OAuth app. The campaign has targeted nearly 12,000 repositories, warning users of unusual login attempts from Iceland.
The fake alerts provide links that lead to an OAuth authorization page for a "gitsecurityapp" app, which requests extensive permissions, including full access to repositories, user profiles, and GitHub Actions workflows. If authorized, the app gains complete control over the user's account and code.
The phishing campaign, which began recently, directs authorized users to callback addresses hosted on onrender.com. Users who have authorized the malicious app are advised to immediately revoke its access through GitHub Settings, check for unfamiliar GitHub Actions or gists, and rotate their credentials and authorization tokens.
MyGov Passkey Adoption Surges in Australia
https://www.itnews.com.au/news/over-200000-mygov-users-disable-passwords-in-passkey-shift-615664
Over half a million myGov users have adopted passkeys as their login method since the feature launched in June 2024, with over 200,000 users exclusively relying on passkeys and abandoning traditional passwords. The Australian government implemented passkeys to enhance security and combat phishing attacks, investing $5.6 million in the project.
Passkeys utilize biometric authentication, PINs, swipe patterns, or physical USB devices, leveraging cryptographic keypair technology. This approach makes myGov accounts resistant to phishing, as passkeys are specific to the website or app they are created for. Australia is among the first countries to implement passkeys for government services.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com