So, everyone’s been talking lately about the telecoms getting hacked by Salt Typhoon, the Chinese threat actor. And, well, things just got kind of worse for the U. S. government because the U. S. Treasury Department just also got hacked by Chinese threat actors. That, and we have millions of fake stars on GitHub, which is helping malware and other stuff get spread.
Let’s talk about that in today’s episode. Today we are facing an unprecedented array of data breaches, hacking attempts and surges in digital crime. Why is there such a widespread amount and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kitties, and nation state hackers are all on the rise.
Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey everyone, another episode of Exploit Brokers is coming to you now. Hey guys, welcome to another episode, if you could please do me a favor because it helps the channel grow. If you’re on YouTube, if you could hit that like, subscribe, and bell notification icon.
It would be great. And if you’re on something like Spotify or Apple Podcasts, if you could please give a subscriber or follow, so that way you can get updated with new episodes. And if you think we deserve it, give us a 5 star review to help us reach more people. With all that said, I am Cipherceval, your host, and let’s get into it.
Dark Reading, we have an article from them, Chinese state hackers breach U. S. Treasury Department in what’s being called a major cybersecurity incident. Major cyber security incident kind of being easiest way to say it Beijing backed adversaries broke into cyber vendor Beyond trust to access the US Department of the Treasury’s workstations and steal unclassified data according to a letter sent to lawmakers So before I jump into some of the nitty gritty of the article I kind of want to give a bit of context what you have a lot of companies agencies governments do is They have a way to access secure stuff, right?
so You have a VPN or a portal, there’s stuff like even Citrix, Beyond Trust, and a few different other solutions that essentially let you remote in to a secure environment from a nonce, relatively non secure environment, right, from, think laptops and other stuff that maybe personnel carry with them, and that’s kind of where the root of all this happened, it’s because of a vendor that they were using, Beyond Trust, Beyond Trust.
That all this kind of played out, but we’ll get into that right now with the article. I just kind of want to give you a heads up on that. It’s nothing that the U S treasury department themselves did, but they’re kind of in the middle of this because of fallout from a vendor. Now the U S the U S department of the treasury alerted lawmakers on Monday, that Chinese state backed threat actors were able to compromise his systems and steal data from workstations earlier this month.
Because an Advanced Persistent Threat, APT group, is suspected to be behind the hack, it is being treated as a major cyber security incident. The disclosure letter from the Treasury Department said, The letter was sent to the chairman and ranking member of the senate committee that oversees the agency.
So, you have, and we’re seeing it more and more, you have these threat actors, APTs, that, pretty much, are trying to do different things, right? Some of them trying to wreak havoc, some of them are trying to steal intel, It just depends on which threat actor is happening, or which threat actor we’re talking about.
In this case, we’re talking about one of the threat actors from China. Whether that’s Salt Typhoon or not, I don’t think the article even goes into that and I haven’t heard anything else on it, but it could be them. But essentially, that’s just who we’re talking about right now. Adversaries broke into the Treasury Department through third party cybersecurity vendor BeyondTrust, and gained access to a remote key used by the vendor to secure a cloud based service used to remotely provide technical support for Treasury Departmental Offices.
D. O. End users. The letter explained, with access to the stolen key, the threat actor was able to override the service’s security, remotely access certain treasury DO user workstations, and access certain unclassified documents maintained by those users. So, what happens a lot in IT development, developers, just in the world of tech, right?
You have privilege levels when you’re talking about remote access. You’re going to have the lowest level, which is say a user, right? You generally only give them access to applications and workstations that they need. And that’s it, right? You shouldn’t have an analyst per se, trying to access the workstation of every other analyst.
Maybe they have a shared, you know, a SharePoint or somewhere that they can exchange data or stuff, but generally you don’t want them to have full access over each other’s workstations versus something like an admin. Think, you know, like a network admin says admin, they need more than just that, right?
They have the trust to not do anything. And then they have to maintain workstations, troubleshoot, user accounts, troubleshoot, use workstations, applications, and different things like that. And then you have developer accounts, which are generally can be more privileged than the system admins. Even then, developer accounts, there is ways to segment it where, you know, maybe the primary account the developer uses is still somewhat limited, and then they have a super admin account, which they shouldn’t be using often.
Maybe they just have, they don’t have the permission, and they have to send out work tickets for other specific things, right? Whenever you go for more security, you kind of inconvenience developers and admins, so there’s trade offs, right? You Can’t give a developer necessarily admin to everything and anything, but if you want them to maintain databases, well, they need database access.
If you want them to be able to troubleshoot production issues, well, now they need production access. So there’s kind of, there’s a trade off for a lot of this, right? And if you steal an access key from a developer or an admin or one of those, you’ve essentially stolen keys to the kingdom. When you think about the valuable targets or what these, whether it’s cyber criminals or threat actors are going after when they are trying to steal credentials or they’re trying to steal stuff.
There isn’t a whole lot of value in lower end users, but if those lower end users let you pivot and go laterally until you find a machine where you can do privilege escalation or in this case, steal a key that’s very valuable that gives more access to be able to override certain security measures.
Well, then that’s a valuable goldmine. So those are just some things to think about right? It’s not super cut and dry where if you steal a key, that’s it. You’ve got keys to the kingdom. If you steal the key to a low level user account, well, then you still got to try to do lateral, but if you steal the key to say the admin, Or the, one of the main developers, then that becomes a wider area of influence.
So it’s things just to keep in mind. Beyond trust has more than 20, 000 customers across more than 100 countries who use its privileged remote access tools, according to its website, which also states that the company is used among 75 percent of fortune, 100 organizations going back again, right? You have a lot of companies and agencies and both private, public, et cetera.
Who want their employees and contractors and other stuff to be able to access stuff securely. The problem is that the vendors who set this up sometimes have more access over the system, depending how on how the whole thing is set up, right? They may need more access to troubleshoot this. If the stuff is not necessarily provisioned in the right way, then more people might have access than they need.
It’s just kind of a back and forth auditing a privileges of user accounts is something that I believe is somewhat normal when it comes to the IT world, but there’s always more auditing that could be done, but then that takes money, time, resources, etc. Beyond Trust told the Treasury Department about the issue on December 8th.
The department, along with the Cybersecurity and Infrastructure Security Agency, CISA, and the FBI is investigating the compromise according to the letter. A Beyond Trust advisory said the company was alerted on December 5th to a compromised API key. Which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation according to a statement from a beyond trust Spokesperson.
So we’re talking about an API key. That’s an application programming interface It’s essentially a way for another program to talk to a target program, right? You may log into your bank’s website and do certain things on there But that backend and maybe other services need to talk to the program directly.
And you have two programs that can talk to each other through this kind of API. And an API is really a fancy way of saying you’re doing text based requests going back and forth that are kind of predetermined or do certain things, but you do them programmatic. I’m kind of oversimplifying, but that’s kind of what I’m talking about.
So, Biontrust previously identified and took measures to address a security incident in early December 2024 that involved the remote support product, the statement said. No other Biontrust products were involved. So that’s just the statement, right? They have to kind of give some information, but maybe they’re not ready to give all the information out.
It’s something we’re seeing, right? You don’t want to freak everyone out that they’ve, you know, been completely owned through a supply chain attack or something else when that hasn’t been the case and they haven’t confirmed it. So I can understand them saying that, but hey. Once we get more information, that’s obviously going to be more interesting to kind of go and dissect.
Now, there is more of the article that talks about the epic Chinese hack of the US Treasury, because something that we’re seeing is that recently, Salt Typhoon, and I haven’t covered this, but it’s several other YouTubers, several articles, and other stuff I’ve covered it. Salt Typhoon recently has been found to have been in more telecommunication companies than originally thought.
I believe I touched on some of them, but I think as more information is coming out that more and more of the telecom agencies are actually hacked. And there was even, I believe, a safety advisory or some kind of notice that the government was saying, urging people to pretty much switch from SMS, which is text based, to To some kind of encryption think like signal because what happens with text communication specifically I don’t know about RCS, which is kind of a new tech But SMS whenever you send a message that message is sent via plain text that plain text message is generally held in some reservoir that the telecom companies have think of a database essentially and They do that because from when you send it to when the recipient is found.
It’s not instantaneous, right? It’s not like you’re pinging some IP network The network has to do resolution and figure out where this client is. What’s the closest antenna to them. And, you know, it’s more sophisticated than just trying to reach a server because this is a moving target, right? So there’s much more noise and chaos that get mixed into it versus just a normal DNS and it seems like salt typhoon has accessed a bunch of that information.
And depending on how long they’ve been in the system, the amount of stuff they can exfil. Or exfiltrate is enormous, right? Imagine being able to see every text message from the United States or anyone in the United States or anyone in the Philadelphia area, anyone in the Washington DC area, right? It starts to get really crazy when you think about the implications of it, but right now the government was just dealing with that only for the U.
S. Treasury Department to get hacked. It really seems like. Chinese threat actors are really taking advantage of kind of the turmoil between the elections and you know, the dysfunctional nature of government and they’re mounting more and more cyber attacks. So it’s going to be interesting to see where that goes, but that is kind of the gist of this article.
Um, and just kind of breaking down some of the major points on this. Now that we talked about that, let’s talk about GitHub. Now in an article by bleeping computer, Over 3. 1 million fake stars on github projects used to boost rankings. So, whenever you’re talking about stars on github, again, to give a bit more context before we jump into the article, whenever you’re talking about stars, think of it kind of like a, like the like button on social media.
A star on a github project, which are open source projects, is a way of saying, hey, I like this repository, and that signals to other users of github, hey, this could be a worthwhile and or trustworthy repository. And the reason that’s important, right, is you have a lot of developers, whether it’s, you know, new novice developers or seasoned developers or et cetera, who use GitHub because you can’t necessarily write every piece of code yourself.
You can, but then you’re going to be spending maybe months rewriting a library that already exists and it’s useful. Think cryptography, right? You want to use a tried and tested cryptography library. Because you trying to roll your own cryptography is pretty much guaranteed to fail in one form or another.
Whether it’s implementation, typos, you name it. Rolling your own crypto, cryptography, and I’m not talking about crypto like bitcoin, but cryptography like encryption, is kind of one of the easy ways to mess something up. So because of this, a lot of developers rely on github. Not only github, but that’s kind of the most popular one and it got bought out by Microsoft a while back.
So now that you have this repository of open source projects, And the stars are being used to manipulate it where you’re like, well, why does that matter? Well, when you have the ability to influence rankings of top packages, you start to get malicious things happening because at that point you can buy stars away.
You can buy likes, and that’s where kind of this problem arises. So let’s jump into the article and I’ll be back and forth the way I normally get hub has a problem with inauthentic stars used to artificially inflate the popularity of scam and malware distribution repositories. Okay. Help with them reach more unsuspecting users stars are similar to the like button So social media allowing github users to favorite a repository.
So I’m gonna skip over some of the stuff I’ve kind of already explained one interesting thing to kind of discuss and to kind of bring to light is I know maybe some of my audience aren’t software engineers, software developers, maybe some of you are just cyber security people, maybe some of you are just people who are interested in this and are just seeing from the outside looking in, or maybe you’re new to cyber security or programming, but the problem with manipulating rankings on this level, right, the amount of packages that modern applications use is massive.
If you think something like NPM, there’s a running joke where NPM is like 50 gigs for a Hello World. Um, that’s not the exact joke that I’m paraphrasing, but it might as well be. Because what happens is, you have a lot of libraries that don’t necessarily need to exist, but some of them are extremely useful.
And there’s so much bloat in the amount of packages that a piece of software has now. And a package is just pre written code by someone else. With that said, just continue. The problem has been documented previously, like last summer when Checkpoint uncovered a malware delivery service named the Stargazer’s Ghost Network, which used an extensive network of inauthentic users starring fake projects to push information stealing malware.
Non malicious projects also use fake stars to boost their popularity, increase their reach, and attract legitimate user attention, real stars, and adoption. Whenever you get a malicious thing, And you, whenever you get a malicious package and you push it up and it makes it popular, now you’re kind of thinking about this from, okay, say 10, 000 applications installed.
Now you have a supply chain attack because those 10, 000 applications are legitimate applications and they might actually have ways to sign. So you have this malicious thing being Trojaned in without the developer wanting to Trojan in, and then they can distribute this piece of software. Say it’s a trusted thing, right?
It’s. One of the apps that we’ve used on Windows. Think like WinRar, or 7 Zip, or, you know, Chrome, or any of those applications. Imagine if they installed this malicious package, and now it affects pretty much everyone. Because if you’re thinking Chrome and Firefox, if they were to install any of these malicious packages, now that’s a huge target base.
And it’s a supply chain attack. We’re seeing these more and more. But now, the ability to manipulate the rankings with the stars and the bots. Makes it easier to implement this right because you’re not just hoping a developer finds your package You’re now making it more likely that a developer will find your package And if developers are under deadlines and stress, they may not read everything and that’s just the human nature of it Now there are saying non malicious projects use this, you know, kind of like social media Sure You may have some bad actors trying to push up their likes to push some scammy Product but you also have people that are trying to just become influencers and they might buy it likes you might have Legit projects that are like hey, I think this is useful, but no one seems to be picking this up So they’re paying to kind of get this up buying Users and all that is generally frowned upon because there should be unique or not unique There should be you know, authentic interaction My problem with buying with using bots, right?
Is you’re not driving real traffic. Sure. You might get a spike in traffic, which then lets you find other people, but the way algorithms work or at least, you know, search algorithms work is they rely on a lot of signals and very, I would say complex markers. And if you start to mess with that by introducing bots, which have no personality, it’s just wherever the money’s coming from, right?
You could have just a complete messing up of. The characteristics or the metadata of your channel or get up or whatever you’re doing. So I generally don’t like bots because it skews in directions that you may not anticipate. If all the bots are liking prank channels, let’s talk about YouTube for a second.
If all the bots are liking prank channels and you push a cooking channel, well, now they may be incentivized or YouTube might be incentivized or one of the other video sharing sites might be incentivized. To share your cooking video to even more prank channels because the bots that are liking prank channels are liking yours So there has to be some overlap and that’s not necessarily what’s happening with github, but that’s why I dislike bots Anyways, so the researchers here were actually using some let’s call it AI ish Methodologies, they’re using math and whenever you talk about math you start to kind of veer into like The precursors to AI, because AI is just really fancy math, calculus, and stats.
Um, pretty much. So looking for fake stars, it’s a subheader in the article. The researchers developed and used a tool called Starscout to analyze 20 terabytes of data from GH Archive to find inauthentic stars. GH Archive contains metadata of over 6 billion GitHub events from July 2019 to October 2024, including 60.
5 million user actions on 310 million repositories and 610 million stars. In other words, they just have a lot of log data. But, it’s, it’s just that, right? You need log data to see what’s going on and try to do some analysis. So, StarScout detects users who show minimal activity on GitHub, like star in a single repository, have bot or temporary account activity patterns, and account groups that act in coordinations such as starring the same repositories within a short time.
Their method is based on the CopyCatch, an algorithm designed to detect fraudulent patterns in social networks. So, from a math perspective, right, you will have some kind of data patterns that will naturally emerge. Whenever you’re looking at large pieces of data just like before elections There’s a certain amount of searches or if you look at Google Trends, for example those all tend to go up just before an election cycle or when you look at like Shopping it tends to go up just before the Christmas season There’s certain patterns that are just inherent from a psychological perspective that human nature happens with But when you start talking about bots, they don’t exhibit the same thing Here, one of the easy ways to kind of figure out is if you have all these accounts that are starring or liking this specific account, and you see them doing that consistently for multiple accounts, that’s not very likely.
The likelihood that user A, user B, and user C all like the same account within the same day, and then they do that 10, 20, 30 times, so 10, 20, 30 different repos or user accounts or whatever, is not likely. Because the amount of data and accounts and social media and just the internet is massive. So that’s where you see these outliers and you can essentially do something like a k nearest neighbor and all these graphs.
There’s a bunch of kind of algorithms and mathematical ways to do this and that’s what they’re talking about here. Copycatch. It’s an algorithm that’s been fine tuned. Or at least the concept has been tuned to preventing or detecting fraud in social networks. Now they found 4. 5 million stars, but then they actually tried to, they did some sampling and did some other stuff and they reduced that to 3.
1 million fake stars given by 278, 000 accounts to 15, 835 repositories, which is still massive. When you think about the amount of accounts or bots and the amount of repositories that are paying, because you have to pay money for this, right? And. Now, now there is kind of a good side, which is the researchers did report this to github and it seems like they’re taking action against it but you can’t just do a massive ban, you have to make sure that you’re actually using some kind of metrics on the github side to validate this information, right?
Trust but verify, and that’s kind of the gist of this. There will always be a way to hack the system, in a way. Um, because whenever you’re talking about social media or rankings or something else, just like we’ve seen with SEO and the internet, there’s ways to game the system. So it will always be a can and mouse.
That is ultimately what cybersecurity is. It simplifies to, you find a loophole, they patch the loophole, you find another loophole, they patch the other loophole, and it just goes back and forth. Uh, and sometimes it’s legitimate loopholes that get patched and sometimes it’s just fraudulent stuff and malicious stuff.
Bugs could, you know, could make the application unusable or bugs could make the application super insecure. And that’s the world of software development. But guys, I want to thank you for tuning in to another episode. This has been your host Cipherceval and I will catch you in the next one.
Note: This is an autogenerated transcript
📢 Connect with us:
Newsletter: https://follow.exploitbrokers.com
Twitter: @ExploitBrokers
Medium: https://medium.com/@exploitbrokers
TikTok: https://www.tiktok.com/@exploitbrokers
🔗 References & Sources
* US Treasury Hacked: https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department
* Github Fake Stars: https://www.bleepingcomputer.com/news/security/over-31-million-fake-stars-on-github-projects-used-to-boost-rankings/
Leave a Reply