Full Report
A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad
Analysis Summary
# Incident Report: Multiple Cybersecurity Incidents - Q4 2024
## Executive Summary
This report summarizes several concurrent, severe cybersecurity threats observed recently, including a major supply chain breach targeting Coinbase via a malicious GitHub Action, the emergence of the multifaceted StilachiRAT, widespread ad fraud from compromised Android apps, and advanced ransomware tactics utilizing vulnerable drivers. These events highlight the expanding threat surface across software supply chains, mobile platforms, and core infrastructure security defenses.
## Incident Details
- **Discovery Date:** Primarily Q4 2024 (Specific dates vary by report, e.g., StilachiRAT detected in November 2024).
- **Incident Date:** Spanning Q4 2024, with the GitHub Action incident starting as a targeted attack evolving into a widespread event.
- **Affected Organization:** Coinbase (initial target of supply chain attack); hundreds of organizations potentially affected by leaked CI/CD secrets; 331 Android apps involved in ad fraud.
- **Sector:** Cryptocurrency/Financial Technology, Software Development, Mobile Ecosystems.
- **Geography:** Global (Supply chain and malware prevalence).
## Timeline of Events
### Initial Access (Supply Chain Incident - Coinbase Focus)
- **Date/Time:** Not explicitly specified, but began as a highly-targeted attack against Coinbase's open-source projects.
- **Vector:** Supply chain compromise via the GitHub Action **"tj-actions/changed-files"**.
- **Details:** Attackers pushed a malicious version of the workflow, likely after failing a direct poisoning attempt, leading to widespread leakage of CI/CD secrets whenever the workflow was run across repositories.
### Lateral Movement (StilachiRAT and Medusa Ransomware)
- **StilachiRAT:** Implemented reconnaissance and persistent activity after infection, aiming to gather data and maintain access undetected.
- **Medusa Ransomware:** Utilized the **BYOVD** technique (via the **ABYSSWORKER** driver) to terminate anti-malware products, effectively disabling security controls to facilitate further compromise or encryption.
### Data Exfiltration/Impact
- **Supply Chain:** Leakage of CI/CD secrets, highly likely motivated by cryptocurrency theft.
- **StilachiRAT:** Capability to steal files, cryptocurrency, and credentials.
- **Vapor Ad Fraud:** Displaying out-of-context ads and attempting to steal credentials from online services via 331 Android apps.
- **Head Mare/Twelve:** Deployment of LockBit (Windows) and Babuk (Linux/ESXi) for ransom.
### Detection & Response
- **Supply Chain:** Palo Alto Networks Unit 42 reported on the evolution of the attack.
- **Vapor Apps:** Google removed the 331 malicious applications from the Google Play Store.
- **Medusa:** The use of the ABYSSWORKER driver signed with potentially stolen/revoked certificates was observed.
## Attack Methodology
| Category | Method/Technique Observed |
| :--- | :--- |
| **Initial Access** | Malicious open-source workflow injection (Supply Chain), Unclear vectors for StilachiRAT, Likely initial intrusion for Operation FishMedley (ShadowPad, Spyder deployment). |
| **Persistence** | StilachiRAT has built-in persistence mechanisms; Supply chain compromise achieves persistence by infecting widely used tools. |
| **Privilege Escalation** | Not explicitly detailed, but common in RAT and ransomware deployment. |
| **Defense Evasion** | StilachiRAT exhibits evasion by delaying external connections; Medusa utilizes the **ABYSSWORKER** driver signed with trusted (though likely illicitly obtained) certificates to bypass EDR. |
| **Credential Access** | StilachiRAT includes credential theft functionality; Vapor apps attempted credential theft. |
| **Discovery** | StilachiRAT incorporates extensive system reconnaissance features. |
| **Lateral Movement** | Not explicitly detailed for all incidents, but implied in advanced operations (e.g., Aquatic Panda). |
| **Collection** | StilachiRAT designed for data gathering and crypto theft. |
| **Exfiltration** | Financially motivated data exfiltration suspected post-supply chain breach. |
| **Impact** | Ransomware deployment (LockBit/Babuk), Financial fraud (Ad fraud/Crypto theft attempts), Espionage (Aquatic Panda). |
## Impact Assessment
- **Financial:** High potential for cryptocurrency theft (Supply Chain target), revenue loss/fines from ad fraud scale (60 million downloads), ransom demands (Head Mare/Twelve).
- **Data Breach:** CI/CD secrets leaked (Supply Chain); credentials stolen (Vapor apps); general data collection (StilachiRAT).
- **Operational:** Potential for full system shutdown/encryption via Medusa ransomware; operational disruption related to cleaning up compromised environments exposed by the supply chain breach.
- **Reputational:** Significant damage to trust in open-source supply chain integrity, especially concerning critical tools like GitHub Actions.
## Indicators of Compromise (Defanged)
*Due to the diverse nature of the included threats, specific IOCs are not listed here, but would generally include:*
- **Network Indicators:** C2 addresses associated with StilachiRAT's delayed beaconing structure.
- **File Indicators:** Hashes for StilachiRAT executable, ABYSSWORKER driver file.
- **Behavioral Indicators:** Unexplained terminations of security services, unexpected CI/CD workflow execution logs referencing the compromised action.
## Response Actions
Actions mentioned or implied across the various incidents:
- **Containment:** Google removed the 331 malicious apps from the Play Store.
- **Eradication:** Organizations must audit and invalidate secrets/credentials exposed via the compromised "tj-actions/changed-files" workflow.
- **Recovery:** Restoring systems encrypted by LockBit/Babuk; cleaning systems of StilachiRAT infections.
## Lessons Learned
- **Supply Chain Trust is Fragile:** Reliance on widely used open-source tools introduces systemic single points of failure susceptible to targeted manipulation.
- **Defense Evasion is Evolving:** Threat actors are leveraging signed drivers (BYOVD) and trusted platforms (Microsoft Trusted Signing) to circumvent modern EDR and AV solutions.
- **Consolidated Malware:** The trend of all-in-one malware like StilachiRAT increases the difficulty of detection by combining multiple distinct capabilities (RAT, stealer, persistence).
- **The Mobile Vector is Rich:** Large-scale, simple ad fraud campaigns can still infect millions of users via seemingly trusted app stores.
## Recommendations
- **Supply Chain Hardening:** Implement robust vetting and pinning mechanisms for all third-party dependencies, especially CI/CD workflows and actions. Regularly review access tokens and secrets deployed via automated pipelines.
- **Defense Integrity:** Focus defense strategies on monitoring for kernel/driver anomalies (BYOVD defenses) and proactively hunting for behavior indicative of low-and-slow malware like StilachiRAT (e.g., delayed network communication).
- **Endpoint Audit:** Conduct frequent audits of Active Directory and endpoint configurations, paying close attention to security tool health, as attackers actively disable EDR/AV.
- **Mobile Security:** Implement stricter checks on apps installed from unofficial sources and review application behaviors near system credential storage.