The Daily Decrypt
The Daily Decrypt
CronUp GitHub Extortions, DuckDuckGo AI Privacy, Muhstik Apache CVE-2023-33246

In today’s episode, we discuss the recent Gitloker attacks affecting GitHub repositories, extorting users by wiping repos and demanding communication via Telegram. We also cover DuckDuckGo’s new AI Chat service offering anonymous access to chatbots like OpenAI’s GPT-3.5 Turbo and Meta’s Llama 3, and how the Muhstik botnet is exploiting a critical Apache RocketMQ flaw to enhance its DDoS capabilities. Check out the full stories here:,, and to Jered Jones for providing the music for this episode. Logo Design by


GitHub, extortions, Telegram, CronUp, cybersecurity, version control, hacking, ransomware, threat detection, security research, Germán Fernández, DuckDuckGo, AI Chat, privacy, OpenAI, Anthropic, Meta, Mistral, anonymous chat, Muhstik, botnet, Apache RocketMQ, CVE-2023-33246, vulnerability, DDoS, cryptocurrency mining, server security

Search Phrases:

  1. Protect GitHub repositories from extortion attacks
  2. Telegram used in GitHub ransomware extortion
  3. CronUp reveals new GitHub security threat
  4. DuckDuckGo AI Chat service privacy concerns
  5. Muhstik botnet attacking Apache RocketMQ servers
  6. CVE-2023-33246 vulnerability in Apache RocketMQ
  7. Preventing cryptocurrency mining botnet attacks
  8. Cybersecurity for version control systems
  9. Anonymous AI chat services with privacy
  10. Protecting servers from DDoS and botnet attacks

New Gitloker attacks wipe GitHub repos in extortion scheme —`- GitHub Repositories Under Attack: Attackers are targeting and wiping GitHub repositories, then demanding victims contact them via Telegram. (Source: Sergiu Gatlan, June 6, 2024)

  • Campaign Origin: Germán Fernández, a security researcher at CronUp, first spotted the ongoing campaign. Attackers use stolen credentials to compromise GitHub accounts and pose as cyber incident analysts.
  • Modus Operandi: Attackers claim to steal data and create a backup. They rename repositories and add a README file instructing victims to reach out on Telegram for data recovery.
  • GitHub Response: GitHub advises users to change passwords and enable two-factor authentication to secure their accounts. They recommend additional measures like passkeys for secure, passwordless logins, and reviewing account security logs for suspicious activity.
  • Preventative Measures:
    • Enable two-factor authentication.
    • Add a passkey for secure, passwordless login.
    • Review and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations.
    • Verify all email addresses associated with your account.
    • Regularly review recent commits and collaborators for each repository.
    • Manage webhooks on your repositories.
    • Check for and revoke any new deploy keys.
  • History of Attacks: This isn’t the first time GitHub accounts have been compromised. In March 2020, hackers stole over 500GB of files from Microsoft’s private repositories. In September 2020, a phishing campaign targeted GitHub users with fake CircleCI notifications to steal credentials and 2FA codes.
  • Engagement Opportunity: Are you using all the recommended security measures for your GitHub account? Check your settings today and share your experience with us!
  • Call to Action: Stay vigilant and regularly update your security practices. If you experience any suspicious activity, report it immediately to GitHub support.

DuckDuckGo offers “anonymous” access to AI chatbots through new service —`Sure thing! Here’s your flash briefing in bullet points:

  • DuckDuckGo Launches AI Chat Service: DuckDuckGo introduces a new “AI Chat” service, allowing users to converse with mid-range large language models (LLMs) from OpenAI, Anthropic, Meta, and Mistral. This service aims to preserve user privacy and anonymity while offering AI chatbot interactions.
  • Privacy Measures in Place: DuckDuckGo ensures chats are anonymized by removing metadata and IP addresses. The company has agreements with model providers to delete any saved chats within 30 days and not use them for AI model training.
  • Access and Usage: Users can access the AI Chat service for free within daily limits through the DuckDuckGo search engine, direct site links, or using “!ai” and “!chat” shortcuts. The AI Chat feature can be disabled in settings for users with accounts.
  • Models Available: The service features OpenAI’s GPT-3.5 Turbo, Anthropic’s Claude 3 Haiku, Meta’s Llama 3, and Mistral’s Mixtral 8x7B. While these models are capable, they are known to produce inaccurate information, known as “confabulations.”
  • Utility and Limitations: Despite privacy protections, the utility of the service is questionable due to the tendency of available models to produce errors. More advanced models like GPT-4 are not included, potentially limiting the service’s usefulness.
  • Future Plans: DuckDuckGo hints at future paid plans that may include higher usage limits and access to more advanced AI models.
  • Caution Advised: Users should verify the information produced by these AI chatbots, as they can generate text with limited and sometimes outdated information. DuckDuckGo advises against relying on AI Chat outputs for professional advice without additional verification.

Muhstik Malware Targets Message Queuing Services Applications —`Flash Briefing: Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

  • Muhstik Botnet Overview:
    • Muhstik targets IoT devices and Linux-based servers.
    • Known for DDoS attacks and cryptocurrency mining. [Source: Aqua Security]
  • Apache RocketMQ Vulnerability:
    • CVE-2023-33246, a critical flaw with a CVSS score of 9.8.
    • Allows remote code execution via RocketMQ protocol content or update configuration function. [Source: Aqua Security]
  • Exploitation Process:
    • Attackers gain initial access by exploiting the vulnerability.
    • They execute a shell script from a remote IP, retrieving the Muhstik binary (“pty3”). [Source: Nitzan Yaakov, Security Researcher]
  • Persistence Mechanisms:
    • Malware binary copied to multiple directories.
    • /etc/inittab file edited to restart processes during Linux server boot.
    • Binary named “pty3” to masquerade as pseudoterminal and evade detection.
    • Malware executed from memory (directories like /dev/shm, /var/tmp) to avoid leaving traces. [Source: Nitzan Yaakov]
  • Capabilities and Objectives:
    • Collects system metadata.
    • Moves laterally over SSH.
    • Establishes C2 communication via IRC for further instructions.
    • Conducts flooding attacks to create denial-of-service conditions.
    • Cryptomining detected as a secondary objective. [Sources: Aqua Security, Nitzan Yaakov]
  • Current Exposure and Mitigation:
    • 5,216 instances of Apache RocketMQ still vulnerable.
    • Organizations should update to the latest version to mitigate threats. [Source: Aqua Security]
  • Broader Security Advice:
    • AhnLab Security Intelligence Center (ASEC) highlights poorly secured MS-SQL servers also targeted.
    • Use strong, periodically changed passwords.
    • Apply latest patches to prevent brute-force and vulnerability attacks. [Source: ASEC]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.