Counterfeit CAPTCHA ClickFix Lures; Windows Shortcuts Exploited Since 2017; GitHub Actions Compromise May Be Cascading Supply Chain Attack

Researchers from HP Wolf Security have observed increasing use of counterfeit CAPTCHA checks to lead users into "ClickFix" phishing attacks. These rely on "the user's own complacency" in completing the test to trick them into pasting and executing a PowerShell script in the Windows "Run" prompt that downloads and installs a malware payload, often from a legitimate cloud hosting service with a reputable IP address, thereby circumventing security alerts. Microsoft recently published a report observing a faked CAPTCHA overlaid on a site mimicking Booking.com to deliver the same type of attack. Sekoia Threat Detection & Research (TDR) has observed the spread of ClearFake malware using faked Google reCAPTCHA and Cloudflare Turnstile verifications as lures. In early March 2025, Arctic Wolf warned that "widely used physical therapy video site HEP2go" had been compromised and was being used to target the healthcare sector with ClickFix using a counterfeit CAPTCHA. Suggested mitigations and preventions of this technique are thorough awareness training on signs of phishing, and administrative limits on the clipboard and the "Run" command if needed.

A vulnerability allowing hidden command line arguments to be executed from Windows Shortcut files (.LNK) has been exploited for at least eight years by state-sponsored hacking groups associated with North Korea, Iran, Russia, and China to deploy a variety of malware payloads, according to a report from Trend MicroÕs Zero Day Initiative (ZDI). Targets of the attacks include "governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies" primarily in the United States, as well as in Canada, Russia, South Korea, Vietnam, and Brazil, and ZDI's analysis suggests nearly 70% of the campaigns focus on information theft and espionage. The vulnerability, tracked as ZDI-CAN-25373, allows an attacker to use whitespace characters to prevent command line arguments in the .LNK file's target from displaying in the Properties UI, often also employing a disguised file extension and icon. Microsoft may address the flaw in a future feature release, but do not consider the UI manipulation to be a security issue requiring a patch. ZDI discovered nearly 1,000 samples of malicious .LNK files; they posit 'it is probable that the total number of exploitation attempts are much higher,' and recommend organizations be wary of suspicious files and scan for indicators of compromise (IOCs).

Analysis by Wiz Research has revealed a second compromise that researchers believe may be part of a "cascading supply chain attack" leading to the compromise of the tj-actions/changed-files GitHub action that caused CI/CD secrets to be dumped into workflow logs of up to 23,000 repositories. Researchers posit that attackers first compromised the v1 tag of the "reviewdog/action-setup" action on March 11, 2025, which may have allowed them to steal the GitHub Personal Access Token (PAT) to access tj-actions on or before March 14: "tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token." Wiz states "immediate response is necessary to mitigate the risk of credential theft and CI pipeline compromise," recommending that organizations query for references to affected actions in their repositories, rotate secrets, remove and/or replace all references to the actions, and download and delete workflow logs as needed. To prevent future risk, Wiz recommends "pin[ning] all GitHub Actions to specific commit hashes," auditing logs for suspicious activity, and blocking unauthorized actions using GitHub's allow-listing feature. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw in tj-actions, CVE-2025-30066, CVSS score 8.6, to the Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must update to tj-actions/changed-files 46.0.1 by April 4, 2025.

IBM released fixes for two critical vulnerabilities in their Advanced Interactive eXecutive (AIX) operating system. Both are arbitrary command execution issues due to improper process controls. The flaws affect AIX versions 7.2 and 7.3. One of the flaws, CVE-2024-56346, affects AIX's Network Installation Management (NIM) master service. The second, CVE-2024-56347, affects IBM AIX nimsh service SSL/TLS protection mechanisms. IBM has also released fixes to address multiple vulnerabilities in IBM License Metric Tool v9.

Veeam has released a patch to address a critical remote code execution vulnerability in their Backup & Replication product versions 12, 12.1, 12.2, and 12.3. The flaw is due to deserialization of untrusted data. Users are urged to update to Veeam Backup & Replication 12.3.1 (build 12.3.1.1139). The vulnerability was reported by researchers from watchTowr, which has criticized Veeam for using a blacklist rather than a whitelist to address deserialization issues.

Cybersecurity researchers from Proactive Defense Against Future Threats (PRODAFT) have published a report disclosing two critical input sanitization vulnerabilities in widely-used Supervisory Control and Data Acquisition (SCADA) software mySCADA myPRO impacting myPRO Manager before version 1.3 and myPRO Runtime before version 9.2.1. Both flaws carry CVSS score 9.3, and allow an attacker to execute arbitrary commands on the affected system because of improper neutralization of POST requests sent to a specific port: CVE-2025-20014 exploits this using a version parameter, and CVE-2025-20061 with an email parameter. PRODAFT emphasizes the consequences of security risks in SCADA systems, urging better protection. The report recommends organizations mitigate risk by patching promptly; segmenting networks; strengthening authentication and enforcing MFA; improving monitoring; and developing and testing response plans.

Guardz Research has published a blog post detailing a Business Email Compromise (BEC) phishing campaign "leveraging legitimate Microsoft domains and tenant misconfigurations" to conduct account takeover (ATO) attacks, bypassing email security measures. Attackers appear to control a set of tenants within the Microsoft 365 infrastructure, each handling a different function in the phishing scheme, such as creating fraudulent transactions and records, impersonating the Microsoft brand, and setting up email forwarding using new administrative accounts. Attackers generate authentic signed billing emails and forward them through legitimate infrastructure, abusing display features to include lure text mimicking an unauthorized charge notification with a callback number, thereby bypassing email security measures such as SPF, DKIM, and DMARC and coercing the target toward a voice channel. Guardz suggests how to protect against this type of uniquely-disguised attack: implement email analysis that inspects all fields and metadata and checks for suspicious return-path headers; train users to recognize phishing; only use known valid support phone numbers; and be wary of newly created tenants, especially with ".onmicrosoft<.>com" domains.

The UK's National Cyber Security Centre (NCSC) says organizations need to migrate to post-quantum cryptography (PQC) within the next decade. NCSC has identified three interim milestones: By 2028, organizations should have defined PQC migration goals, identified systems that will need to be upgraded, and built an initial plan; by 2031, high-priority PQC migrations should be complete, and the initial plan refined; and by 2035, PQC migration should be complete. NCSC writes, 'Although the core timelines are relevant to all organisations, this guidance is primarily aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT.Ó'NCSCÕs guidance also notes, 'like any major IT or OT upgrade, the total financial cost of PQC migration could be significant, so it's essential that organisations budget accordingly, including for preparatory activities as well as the actual migration.'

The Pennsylvania State Education Association (PSEA), a labor union representing about 178,000 current, future, and retired educators, education support staff, and healthcare employees, has published a notice of a data breach that took place "on or about July 6, 2024" and was investigated and reviewed through February 18, 2025. A breach notification filed with the office of the Maine Attorney General lists the total number of persons affected as 517,487. The data accessed vary by individual, but "may include an individual's full name in combination with one or more of the following elements: Date of Birth, Driver's License or State ID, Social Security Number, Account Number, Account PIN, Security Code, Password and Routing Number, Payment Card Number, Payment Card PIN and Payment Card Expiration Date, Passport Number, Taxpayer ID Number, Username and Password, Health Insurance Information and Medical Information." PSEA notified law enforcement and worked with external cybersecurity professionals in the wake of the breach. The notice does not explicitly specify the nature of the attack, but states "We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted."