Happy Monday! For those following cybersecurity news, this past week has been a doozy! While I hope this newsletter helps you stay up to date I am really focused on the insights we can obtain from all that’s going on. If you get value and you’d like to reciprocate, the best way to do that is by sharing my newsletter subscribe link on social media.

Truly appreciate you! Have an amazing week. 🙏

🩺Threat Pulse

​VSCode extensions found downloading early-stage ransomware​

• Two malicious Visual Studio Code extensions, “ahban.shiba” and “ahban.cychelloworld,” were discovered deploying in-development ransomware.
• The extensions bypassed Microsoft’s review process, remaining on the VSCode Marketplace for an extended period before removal.
• The ransomware targeted files in a specific test folder, indicating it was in the early stages of development

If you have people using VSCode in your organization, you’ve got to have a process for handling extensions. Don’t assume that because you have people using VSCode that they are able to identify malicious extensions or that they only install them from trusted sources. Inspect what you expect on this one.

​Steam pulls game demo infecting Windows with info-stealing malware​

• Valve removed the game “Sniper: Phantom’s Resolution” from Steam after reports that its demo installer infected systems with information-stealing malware.
• Users were prompted to download the demo from an external GitHub repository, which contained malicious files disguised as legitimate utilities.
• The malware included tools capable of intercepting cookies and escalating privileges on infected systems.

This one obviously applies to home users, but I wanted to include this for any of you that are in IT at universities. Especially those who have Esports teams, which is becoming more popular. Rule #1, DO NOT put those gaming machines on the production network. You should isolate them completely. Yes, you can still install AV/EDR on them and maybe even enroll them into Intune. But these machines are inherently risky. So much so that you don’t want them anywhere near your production environment.

​Veeam RCE bug lets domain users hack backup servers, patch now​

• A critical remote code execution vulnerability (CVE-2025-23120) was identified in Veeam Backup & Replication software, affecting domain-joined installations.
• The flaw stems from a deserialization vulnerability, allowing attackers to execute arbitrary code on affected servers.
• Veeam released a patch addressing this issue; however, unpatched systems remain at significant risk.

Veeam, fortunately or unfortunately, is the target for much security research. A testament to how popular and successful they have become. Naturally that puts a target on their back. I don’t know the exact percentage, but in a large majority of clients environments I have pentested in the last 4 years, most of them have been using Veeam. Here’s my advice on this: Make sure you have a process for quickly patching your veeam (or whatever solution) backup infrastructure. The quicker the better, obviously depending on the severity and exploitable nature of the issue.

While were talking about backups you might as well:

1. Make sure you’ve got solid backups (3-2-1 Rule)
2. Make sure you test those backups and your backup recovery processes regularly

​GitHub Action supply chain attack exposed secrets in 218 repos​

• The GitHub Action ‘tj-actions/changed-files’ was compromised, leading to the potential exposure of secrets in 218 repositories.
• Attackers added malicious code to the action, which could dump CI/CD secrets from the Runner Worker process to the repository.
• Publicly accessible workflow logs could allow unauthorized access to these secrets.

GitHub is still kind of a wild west. But there’s tools to help manage and mitigate risk that GitHub repositories present for organization. If you have anyone in your organization using GitHub it’s a good idea to:

• Educate GitHub users in your organization about supply chain attacks
• Teach those users how to identify malicious or suspicious repositories
• Give users a quick and easy way to report malicious or suspicious repositories
• Review GitHub’s Security Hardening for GitHub Actions documentation, there’s some great guidance in there for mitigating these threats

​Phony CAPTCHA checks trick targets to download malware​

• Attackers are using fake CAPTCHA verification pages to trick users into downloading and executing malware.
• These deceptive CAPTCHA checks prompt users to run scripts that establish a foothold for larger-scale network intrusions and ransomware attacks.
• The tactic exploits users’ familiarity with CAPTCHA tests to bypass security measures

There are very few examples that are better than this one for why you should really consider implementing Application Control. Either using AppLocker, App Control for Business (previously WDAC), or a 3rd party product. Another tip is to change the default file associations for the various scripting languages (.bat, .vbs, .ps1, .cmd, etc.) so when you double click them they open in notepad. Here’s how:

1. Open Windows Settings:
   • Press the Windows key + I
2. Navigate to “Apps” and then “Default apps”
3. Choose Default Apps by File Type:
   • Scroll down to “Choose default apps by file type”
4. Locate and Change File Associations:
   • Find the file type: Look for .bat, .vbs, .ps1, and .cmd in the list
   • Click the current default program: Click the program currently associated with the file type
   • Select Notepad: Choose “Notepad” from the dropdown or browse for it
   • Repeat for other file types: Repeat steps 4 for .bat, .vbs, .ps1, and .cmd

​Infostealers fueled cyberattacks and snagged 2.1B credentials last year​

• Infostealers infected approximately 23 million hosts and devices, with the majority running on Microsoft Windows. Notably, nearly 70% of these infections targeted corporate systems.
• Among the 24 unique infostealer strains identified, ‘Redline’ was particularly prevalent, infecting 9.9 million hosts, which represents 43% of all observed infostealer infections in 2024. Other significant strains included RisePro, SteaC, Lumma Stealer, and Meta Stealer.
• Cybercriminals employed various methods to deploy infostealers, including phishing campaigns, illegitimate software downloads, and as secondary payloads in multi-stage attacks.

Infostealers are the gift that, unfortunately, keeps on giving. There’s no silver bullets for defending organizations from the downstream impact that’s possible as a result of infostealers. To me, it’s the “basics” or the “foundational” things that help the most.

• Multifactor authentication everywhere
• Strong password policies (technical and administrative)
• Well defined Conditional Access policies
• User education not just for threats they may face at work, but also personally

🔐Securing the Stack

3 Scheduled Task Security Best Practices

1. Ensure proper least privilege: Don’t run scheduled tasks as Domain Admins or equivalent.
   • Scheduled tasks that require elevated rights should use unique accounts with access delegated as needed
   • Furthermore, if you’re running a script or executing a program from a file share, be absolutely sure that the permissions are also set with least privilege in mind
2. Use full paths: When specifying a script or program to run make sure to use the full path. This helps mitigate search order hijacking.
   • For example, instead of using cmd.exe use c:\windows\system32\cmd.exe
3. Monitor for suspicious tasks: Enable task creation/modification logging in the event logs:
   • Security Event ID 4698 – Task Created
   • Security Event ID 4702 – Task Updated
   • Security Event ID 4699 – Task Deleted

😆Memes & Mayhem

I posted this on X over the weekend. Hits home for some I’m sure 😅😂 If you’re not following me there, drop me a follow so you don’t miss out on regular memes and some cybersecurity insights once in a while.

One last one. I venture to guess some of us feel like this on certain Mondays. If that’s you today, hang in there. 🙏

👨‍💻Behind the Console

I was able to participate in something really cool that NinjaOne put together. They are going to be releasing something called IT Quest on April 1st. Here’s a sneak peak into what that is featuring me and some other super cool IT/content creator folks! Definitely more to come on this. 🧙‍♂️⚔🛡

NinjaOne @ninjaone IT Quest. April 1st. 😮‍💨 🙌 Let's gooooo: https://www.utm.io/uibUS Thx for playing @TomLawrenceTech @techspence and the Bearded 365 Guy 12:30 PM • Mar 21, 2025 3 Retweets 7 Likes Read 2 replies

​

That’s all for now. Hope you have a super awesome week!

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​