Full Report
Three new bugs added to CISA's KEV catalog, RaaS affiliates use new custom backdoor, and compromised GitHub Action exposes CI/CD secrets.
Analysis Summary
# Main Topic
A multi-faceted threat intelligence update encompassing newly recognized vulnerabilities added to CISA's KEV catalog, the emergence of a custom backdoor by RansomHub affiliates, and a significant CI/CD supply chain compromise affecting GitHub Actions.
## Key Points
- **CISA KEV Additions:** Three new vulnerabilities have been officially added to CISA's KEV catalog, necessitating immediate patching:
- CVE-2025-1316 (Edimax IP Cameras) is an RCE flaw used in Mirai botnet activity.
- CVE-2024-48248 (NAKIVO Backup & Replication) is an unauthenticated path traversal flaw leaking sensitive data.
- CVE-2017-12637 (SAP NetWeaver AS Java 7.5) is a persistent directory traversal flaw.
- **Custom RaaS Backdoor:** RansomHub affiliates are utilizing a new, custom multi-function backdoor named "Betruger" to streamline ransomware campaigns.
- **CI/CD Supply Chain Attack:** The `tj-actions/changed-files` GitHub Action was compromised via a cascading supply chain attack originating from a vulnerability in `reviewdog/action-setup@v1`, resulting in the exposure of developer secrets.
## Threat Actors
- **RansomHub Affiliates:** Utilizing the custom "Betruger" malware for ransomware operations. RansomHub (formerly Cyclops/Knight) engages in double extortion.
- **Unknown Actors (CVE-2025-13136):** Exploiting the Edimax vulnerability, leveraging it for Mirai botnet deployment and DDoS attacks.
- **Unknown Actors (GitHub Action Incident):** Actors linked to the compromise of `reviewdog/action-setup@v1` that subsequently targeted `tj-actions/changed-files`.
## TTPs
- **Ransomware/Backdoor Operation (Betruger):**
- Keylogging.
- Network scanning.
- Privilege escalation.
- Credential dumping.
- Data exfiltration.
- Disguised as common executables (`mailer.exe`, `turbomailer.exe`).
- **Vulnerability Exploitation:**
- **CVE-2025-1316:** OS Command Injection leading to Remote Code Execution (RCE).
- **CVE-2024-48248:** Absolute Path Traversal to access configuration files, backups, and credentials.
- **CVE-2017-12637:** Directory Traversal via manipulation of query strings.
- **Supply Chain Compromise:**
- Injecting malicious code via a trusted third-party GitHub Action.
- Exfiltrating secrets (e.g., GitHub access tokens, AWS keys, nmp credentials) into public workflow logs.
## Affected Systems
- **CVE-2025-1316:** Edimax IC-7100 IP Cameras (Support discontinued).
- **CVE-2024-48248:** NAKIVO Backup & Replication software before version 11.0.0.88174.
- **CVE-2017-12637:** SAP NetWeaver AS Java 7.5.
- **CI/CD Environment:** Any repository utilizing the compromised `tj-actions/changed-files` and likely `reviewdog/action-setup@v1` GitHub Actions. (Reportedly 5,416 projects referenced the action, but 218 leaked secrets).
## Mitigations
- **Patch Management Priority:** Immediately apply patches for all CVEs listed in the KEV catalog, especially for vulnerable NAKIVO and SAP systems.
- **Edimax Camera Mitigation:** Since no patch is available for CVE-2025-1316, users are advised to isolate or decommission affected Edimax devices.
- **NAKIVO Remediation:** Apply the latest patch (version 11.0.0.88174 or later), review access logs, and strengthen authentication controls.
- **CI/CD Security:**
- **Rotate all affected credentials/secrets** (PATs, AWS Keys, tokens) immediately, as they may have been exfiltrated.
- Pin GitHub Actions to specific **commit hashes** instead of using branch/tag references.
- Implement allow-listing for allowed workflow actions.
- Secure workflow logging to prevent secret exposure.
## Conclusion
The threat landscape remains volatile, driven by active exploitation of known vulnerabilities, the deployment of sophisticated custom tooling by RaaS groups, and critical security failures in the CI/CD supply chain. Organizations must enforce aggressive patch management for KEVs, scrutinize third-party software usage (especially in development pipelines), and implement immediate credential rotation following any suspected supply chain breaches.