Brief #124: Red Hat GitLab Breach, WhatsApp Malware, $250K SOC Salary

Happy Sunday!

In this week's brief:

Red Hat confirms a security incident following claims that hackers breached their GitLab repositories, though details about the scope remain limited
AI code generation creates more problems than it solves with research showing vulnerabilities increase by 37.6% after just five iterations of AI improvements
Senior cybersecurity professionals are hitting walls in today's job market, with experienced candidates submitting hundreds of applications and getting nowhere

A quick note before we dive in.

Industry News

Red Hat acknowledged a security incident following claims by threat actors that they breached the company's systems and accessed sensitive data from their GitLab repositories.
The incident appears to involve unauthorized access to Red Hat's development infrastructure, though the company has not disclosed specific details about the scope or nature of the breach.
Red Hat is currently investigating the incident and working to determine what data may have been compromised, while implementing additional security measures to prevent further unauthorized access.

DeceptiveDevelopment campaign targets cryptocurrency and DeFi developers through fake job offers on LinkedIn and Upwork, deploying malware including BeaverTail, InvisibleFerret, and Tropidoor to steal credentials and infect systems.
Stolen developer identities are supplied to North Korean fraudulent IT workers tracked as WageMole, who use this information along with proxy interviewing and AI-generated synthetic identities to obtain remote work at western companies.
The operation extends beyond programming roles into civil engineering and architecture, with North Korean workers impersonating legitimate companies and producing falsified engineering drawings with fake approval stamps.

The malware spreads via phishing messages containing malicious ZIP files that appear to come from trusted contacts, specifically targeting desktop users with Portuguese messages instructing them to download and open attachments on their PCs.
Once executed, SORVEPOTEL establishes persistence by copying itself to the Windows Startup folder and hijacks active WhatsApp Web sessions to automatically send the same malicious ZIP file to all contacts and groups in the victim's account.
The campaign has primarily impacted Brazil with 457 of 477 detected cases, focusing on government and public service organizations but also affecting manufacturing, technology, education, and construction sectors through automated propagation rather than data theft.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in