SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Monday March 17th: Mirai Makes Mistakes; Compromised Github Action; ruby-saml vulnerability; Fake GitHub Security Alert Phishing

Mar 17, 2025

The podcast dives into the latest antics of the Mirai botnet, which hilariously misconfigured a router exploit. A compromised GitHub action raises alarms, leaking sensitive credentials. The discussion also highlights a ruby-saml authentication bypass caused by a parsing blunder. Additionally, it warns developers about fake GitHub security alerts designed to trick them into granting malicious apps OAUTH privileges. Cybersecurity never sounded so intriguing!

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Mirai Botnet's Flawed Exploit

A Mirai botnet variant is exploiting DrayTek Vigor router vulnerabilities.
However, the exploit URL is malformed, making it ineffective.

ADVICE

Compromised GitHub Action

The GitHub action "tj-actions/changed-files" is compromised and leaks secrets.
Remove this action from your workflow and check logs for leaked secrets.

INSIGHT

Ruby SAML Vulnerability

Ruby SAML uses two different XML parsers, REXML and Nokogiri, which parse differently.
This parser differential can lead to authentication bypasses, so update Ruby SAML.

Get the Snipd Podcast app to discover more snips from this episode

Get the app