Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Global Supply-Chain Attack. Show all posts
Group IB
Credential Theft Cyber Attacks Cyberbreaches Cybercrime Ecosystem Digital Supply Chain Risk Global Supply-Chain Attack Group IB

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem

 

Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins. 

Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit. 

Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack. 

Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match. 

Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors. 

When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward. 

Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape. 

Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning. 

What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
Read more »
IT Industry
Cyber Security Cybersecurity Precautions cybersecurity research cybersecurity risks cybersecurity vulnerabilities Global Supply-Chain Attack IT Industry

Global Supply Chains at Risk as Indian Third-Party Suppliers Face Rising Cybersecurity Breaches

 

Global supply chains face growing cybersecurity risks as research highlights vulnerabilities in Indian third-party suppliers. According to a recent report by risk management firm SecurityScorecard, more than half of surveyed suppliers in India experienced breaches last year, raising concerns about cascading effects on international businesses. The study examined security postures across multiple sectors, including manufacturing for aerospace and pharmaceuticals, as well as IT service providers. 

The findings suggest that security weaknesses among Indian suppliers are both more widespread and severe than analysts initially anticipated. These vulnerabilities could create a domino effect, exposing global companies that rely on Indian vendors to significant cyber threats. Despite the generally strong security posture of Indian IT service providers, they recorded the highest number of breaches in the study, underscoring their position as prime targets for attackers. 

SecurityScorecard noted that IT service providers worldwide face heightened cyber risks due to their central role in enabling third-party access, their expansive attack surfaces, and their value as high-profile targets. In India, IT companies were found to be particularly vulnerable to typosquatting domains, compromised credentials, and infected devices. The research further revealed that suppliers of outsourced IT operations and managed services were linked to 62.5% of all documented third-party breaches in the country—the highest proportion the company has ever recorded. 

Given India’s dominant role in the global IT services market, the implications are profound. Multinational corporations across industries rely heavily on Indian IT vendors, making them critical nodes in the international digital economy. “India is a cornerstone of the global digital economy,” said Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard. “Our findings highlight both strong performance and areas where resilience must improve. Supply chain security is now an operational requirement.” 

The report also emphasized the risks of “fourth-party” vulnerabilities, where the suppliers of Indian companies themselves create additional points of weakness. A single ransomware attack or disruptive incident against an Indian vendor, the researchers warned, could halt manufacturing, delay service delivery, or disrupt logistics across multiple countries. 

The risks are not limited to India. A separate SecurityScorecard study revealed that 96% of Europe’s largest financial institutions have been affected by a breach at a third-party supplier, while 97% reported breaches stemming from fourth-party partners, a sharp increase from 84% two years earlier. 

As global supply chains become increasingly interconnected, these findings highlight the urgent need for businesses to strengthen third-party risk management and enforce stricter cybersecurity practices across their vendor ecosystems. Without stronger safeguards, both direct and indirect supplier vulnerabilities could leave multinational enterprises exposed to significant financial and operational disruptions.
Read more »
Malware Attack
Adobe Commerce and Magento Backdoor Attacks Backdoors Cyber Attacks Extensions Global Supply-Chain Attack Magento Malicious Code Malware Attack

Magento Extension Supply Chain Attack Backdoors Hundreds of E-Commerce Sites

 

A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.  

Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.” 

The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include: Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.

Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site. The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for HTTP requests containing special parameters like requestKey and dataSign. 

When matched against hardcoded keys, it grants attackers access to admin-level functionality, including the ability to upload files. These files can then be executed through PHP’s include_once() function, opening the door for data theft, credit card skimming, admin account creation, and complete server control. Earlier variants of the backdoor didn’t require any authentication. 

However, recent versions now rely on a static key for limited protection. Sansec confirmed that this method was used to deploy a web shell on at least one client’s server. When alerted, vendor responses varied. MGS did not respond. Tigren denied any security breach and reportedly continues to distribute the compromised code. Meetanshi acknowledged a server intrusion but denied their extensions were affected. 

BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which is still available for download. Sansec recommends that any site using the listed extensions immediately conduct full server scans and review indicators of compromise. 

Ideally, websites should be restored from a verified, clean backup. The security firm also highlighted the unusual delay between the malware’s insertion and its activation, suggesting the attack was carefully planned over a long timeline. An expanded investigation is ongoing.
Read more »
Zero-day vulnerability
Cyber Security Cyber Threats Cybersecurity Warning Global Supply-Chain Attack Lazarus hacking group MagicLine4NX Software Security Authentication State-sponsored Hackers Zero-day vulnerability

The Lazarus Hacking Group's Covert Strategy: Utilizing MagicLine4NX Software in a Global Supply-Chain Assault

 

In a joint effort, the National Cyber Security Centre (NCSC) and South Korea's National Intelligence Service (NIS) have issued a serious warning about the activities of the Lazarus hacking group, associated with North Korea. The group is exploiting a zero-day vulnerability found in the widely-used MagicLine4NX software, leading to a series of sophisticated supply-chain attacks affecting various entities globally.

The MagicLine4NX software, developed by Dream Security in South Korea, is a crucial joint certificate program for secure logins and digital transactions. Exploiting a vulnerability in this software, cyber actors gained unauthorized access to the intranets of targeted organizations, breaching security authentication systems in the process.

The joint advisory revealed, "Cyber actors utilized the software vulnerabilities to gain unauthorized access to the intranet of a target organization. They exploited the MagicLine4NX security authentication program for initial intrusion and a zero-day vulnerability in network-linked systems to move laterally, accessing sensitive information."

The intricate attack chain began with a watering hole attack, a tactic where hackers compromise websites frequented by specific users. In this case, state-sponsored hackers infiltrated a media outlet's website, embedding malicious scripts into an article. The attack specifically targeted visitors using certain IP ranges. When visitors employed the MagicLine4NX authentication software and accessed the compromised website, the embedded code executed, providing hackers with complete control over the system.

Subsequently, the attackers accessed an internet-side server from a network-connected PC, exploiting system vulnerabilities. They then spread the malicious code to a business-side server via a network-linked system's data synchronization function.

Despite security measures, the threat actors persisted in attempting to infiltrate business PCs with the aim of extracting sensitive information. The malware established a connection to two C2 servers—one serving as a gateway within the network-linked system and the other located externally on the internet. The report noted, "The malicious code attempted to move data from the internal server to the external server but was thwarted by the security policy. Had it succeeded, substantial internal network information might have been compromised."

The warning emphasized the severity of such attacks, citing previous supply chain intrusions by North Korea-linked APT groups. Notably, the Labyrinth Chollima APT targeted VoIP software maker 3CX, leading cybersecurity vendors to detect the popular software as malware. In a separate incident, Microsoft Threat Intelligence researchers exposed a supply chain attack by APT Diamond Sleet (ZINC), affecting over 100 devices across Japan, Taiwan, Canada, and the United States.

As cybersecurity agencies work to contain these threats, the increasing sophistication of these attacks underscores the urgent need for heightened vigilance and robust security measures against supply-chain vulnerabilities.
Read more »
Subscribe to: Comments (Atom)