Counterfeit CAPTCHA ClickFix Lures; Windows Shortcuts Exploited Since 2017; GitHub Actions Compromise May Be Cascading Supply Chain Attack

Never underestimate the craftiness of evildoers. That said, the red flag was being asked to run a set of commands on your device. That's a stop, think, stop again, think again moment before declaring it too dodgy and leaving the site. Unfortunately for far too many people, they never enter the stop think stage, so I suspect there is a good ROI for the evildoer.

Curtis Dukes

Talked about this issue last year (https://isc.sans.edu/diary/31282) and it has only become more common since then. Controlling powershell script execution has been important even before that as attackers have used various tricks to execute malicious powershell scripts for years. Nothing fundamentally new here.

Johannes Ullrich

CAPTCHA as bait, ranks right up there with "Click here to get the latest version of Adobe Reader."

William Hugh Murray

A CAPTCHA that entices you to run copy/pasted content should be an immediate red flag. The attack tells the user to hit the Win+R key combination to run the pasted script. Consider implementing a GPO which prevents the run command when Win+R is pressed.

Lee Neely

This one is interesting; it's the 2025 version of the IRC chat channel telling you to type rm -Rf / in a terminal to fix your issues. It's many decades later, and this is still a vector. This time, however, it's a phishing lure disguised as a captcha. Maybe in 5 years, ChatGPT will let me know that rm -Rf / fixes all my problems; In the meantime, this will be an educational lesson for some that you can't just copy/paste into a terminal. Unfortunately, I am not sure how we can protect against this one.

Moses Frost

As stated by Trend Micro, this is an old issue, known and exploited for years. Microsoft is right in not considering it a major problem. It is not that far off from a user downloading any executable and launching it. There are optional defenses in place to prevent such scenarios.

Johannes Ullrich

The ZDI Initiative said 'We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.' There have been past Microsoft updates/CVEs around .LNK security flaws. We need to hear publicly from Microsoft why this one is different.

John Pescatore

This Windows LNK issue has been known in many circles for years. Jean Maes, who authors our Red Team Course, has been talking about it for at least the time the course has been around, if not longer. This is a well-known vector; the fact that it's getting attention now because protections are available is kind of interesting. I'm not sure what to say about it other than I don't think there will be a fix for this?

Moses Frost

The ubiquitous use of Windows puts us all at risk.

William Hugh Murray

To see the augmented shortcuts in the .LNK file you need third party tools, the built in tools will not display the information. ZDI's blog post included a YARA rule to detect them. Microsoft has stated this flaw doesn't meet the threshold to release a fix, however Defender now includes protections to detect and block this flaw. Expect EDR providers to include similar protections soon.

Lee Neely

I just did a video on this earlier this week. Since that video, there have been some very good write-ups piecing together this information. Some of the incident response reports I have seen show that researchers have done excellent investigative work and are trying to piece together the total attack. This may have stemmed from a different GitHub action attack path that may or may have been targeting Coinbase's GitHub. CISA is now recommending that all government agencies use a specific lockdown version of these GitHub actions.

Moses Frost

Compromised GitHub actions have not really been on the radar for many DevOps organizations, but they should have been. The rush to the cloud and SaaS solutions often leaves vendor management in the dust. Open source, and solutions like GitHub, need to be treated as vendors and managed accordingly.

Johannes Ullrich

This may be a cascading supply chain where the compromised actions are used to inject malicious code. GitHub has scripts to scan your repository to identify areas of concern, as well as guidance about what is not an issue.

Lee Neely

One might well take note of the difference in the number of patches from IBM with the numbers from some of its competitors.

William Hugh Murray

The good news is AIX isn't as mainstream an operating system as Windows, Linux, MacOS. The bad news is there is still a reasonable user base, and evildoers with the skillset will find a rich target environment as organizations scramble to patch the vulnerability.

Curtis Dukes

Whoever runs AIX in 2025 would indicate that it is a core business system. It would also mean that they cannot get away from this core business system, which is probably running programs written in RPG. Just doing essential detection would be a challenge. A 10 out of 10 RCE is the worst-case scenario for these companies. I'm not sure the last time I saw an AIX bug of this magnitude, but it's not very common. It would also probably be tough to secure the thing. If you can patch without taking down your business somehow, you should. Motivated attackers will go after this.

Moses Frost

If you're an AIX shop this bug's for you. CVE-2024-56346, NIM Master Service flaw, CVSS score 10.0, and CVE-2024-56347 nimsh service flaw, CVSS score 9.9, are both present in AIX 7.2 & 7.3 which you need to update immediately. IBM has released interim fixes, but the best plan is to install the service pack for your AIX version.

Lee Neely

I just did a video on this, which is also this weekÕs infosec drama. I will publish it soon. What can I say? Some people do not like how patches are implemented; This is nothing new. The vendor is probably in a challenging position where the 'appropriate' way to patch it is far too complex to do in a short timeframe, and the security researchers who are calling out the ease of working around the patch are rightfully concerned that it will never be properly patched. The guidance from the vendor is also somewhat in contention as there is no necessity to join these to the domain, but in practice everyone does. The way this exploit works, all you need most of the time is a basic Domain User to exploit it, which is not hard to get if you are an attacker.

Moses Frost

CVE-2025-23120, deserialization of untrusted data, CVSS score 9.9, can be exploited by any authenticated user for a domain joined Veeam backup server. Veeam best practices advise against joining the backup server to your domain. You need to both apply the update and review best practices to ensure you're as protected as possible. Note that Veeam provides a deny list rather than an allow list to help mitigate attempted exploits.

Lee Neely

Fixing deserialization flaws with block lists doesn't work. WebLogic tried it with little success. Keep your Veeam patching skills sharp and expect more vulnerabilities like this from Veeam.

Johannes Ullrich

OT networks and the underlying ICS and SCADA applications will continue to be targeted. The best defense remains being ruthless in who can access the OT network and how. There are excellent OT cybersecurity platforms available, but often a simple device like a stripped-down firewall can be equally effective in restricting access to the network.

Curtis Dukes

In addition to the mitigations above, don't expose SCADA systems directly to the Internet, and make sure to isolate them from internal systems which don't need to interact with them. If you have remote components collecting data, make sure you're reviewing the security of that connection regularly.

Lee Neely

The craftiness of evildoers is certainly on display in today's NewsBites. While I agree with the Guardz mitigations, we're dealing with humans after all, many of the recommendations will never be done. This is an attack on the MSFT brand, and one must believe they will be quick in shutting this down. What say you MSFT?

Curtis Dukes

The killer is, the messages are originating from internal sources (meaning checking the domain and sender isn't so effective) which then entice users to call a proffered number, directly to the scammer. Mitigation is going to take a combination of blocking bogus numbers and behavior modeling to identify illicit activity.

Lee Neely

Back in the late 1800s and early 1900s, many US cities like Chicago and Baltimore grew rapidly with wooden buildings built closely together. One tenant's chimney fire could lead to entire cities going up in flames. Sounds like the OnMicrosoft.com 'city' is letting tenants build houses made of balsa wood. This one is definitely worth an update to users: Notify security of any attempt to steer you to a telephone call, and perhaps block the onMicrosoft.com domains until Microsoft provides details on actions they are taking.

John Pescatore

This guidance is somewhat disingenuous. The UK government, like that of the US, and other nation state actors, is engaged in a "store now decrypt later (SNDL)" program in anticipation of efficient decryption using quantum computers. The few targets of this program should be moving to PQC now. While most of the data that we encrypt today has a short life and will not still be of interest "later," or is not of interest to nation state actors, some small amount is.

William Hugh Murray

You need to be tracking moving to PQC. Your vendors should all have implementation plans as well as migration guidelines, many of which amount to staying on supported versions and applying updates. While relatively easy to add PQC support to systems, removing the backwards compatibility will have to be planned and communicated widely. Be sure to have in-depth talks with your OT/ICS partners.

Lee Neely

The Rhysida ransomware gang is taking credit for this attack. They are a very active gang targeting healthcare, churches, nonprofit organizations and city government organizations. PSEA is providing guidance on steps user can take to protect their credit/identity as well as offering credit monitoring to those who had their SSN compromised. They have until July 17th to enroll in the offered service.

Lee Neely

It pretty much goes without saying, ransomware event, and they paid. What I find most troubling outside the lack of basic cyber hygiene is the need to keep all those data elements. It's a good reminder to routinely revisit your data collection and retention policies with an eye towards minimizing what is collected and for how long.

Curtis Dukes

Except perhaps for the association of the individual with the union, one must assume that most of this PII is already available from unscrupulous data brokers for dimes to dollars. One cannot rely upon its secrecy for one's security. One's risk only went up marginally from this compromise. On the other hand, the Union had a duty to protect it and should not have collected and retained it if it could not protect it.

William Hugh Murray