Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Supply-Chain Attack. Show all posts
Supply-Chain Attack
Crypto Scam Cyber Attacks NPM phishing Supply-Chain Attack

Massive NPM Supply-Chain Attack Reaches Millions, Nets Hackers Less Than $1,000

 

The largest supply-chain attack in NPM ecosystem history impacted approximately 10% of cloud environments after attackers compromised maintainer Josh Junon's account through a phishing campaign, yet generated minimal profits for the perpetrators. 

The attack began when Junon fell victim to a password reset phishing lure, allowing threat actors to access his NPM account and push malicious updates to highly popular packages including chalk and debug-js, which collectively receive over 2.6 billion weekly downloads. The attackers embedded cryptocurrency-stealing malware that redirected Ethereum and Solana transactions to attacker-controlled wallets.

The compromise's reach was staggering, with Wiz security researchers finding that the targeted packages served as fundamental building blocks in 99% of cloud environments. During the two-hour window before discovery and removal, the malicious packages were downloaded by roughly 10% of cloud environments, demonstrating the rapid propagation potential of supply-chain attacks. 

Despite the massive scale and widespread impact, the attackers' financial gains were surprisingly modest. Security Alliance analysis revealed the malicious code specifically targeted browser environments, hooking cryptocurrency signing requests to perform crypto-jacking operations. The attackers managed to steal only five cents worth of ETH and $20 of an obscure memecoin initially.

Socket researchers later expanded the investigation, discovering the same phishing campaign had compromised DuckDB's maintainer account with identical crypto-stealing code. Their comprehensive analysis traced total profits across all attacker wallets to approximately $429 in Ethereum, $46 in Solana, and small amounts in Bitcoin, Tron, Bitcoin Cash, and Litecoin, totaling roughly $600 . 

The limited payload targeting only cryptocurrency transactions likely prevented a more catastrophic security incident. Attackers could have deployed reverse shells, facilitated lateral network movement, or installed destructive malware given their privileged access . 

 
While companies invested significant hours in cleanup, rebuilding, and security auditing following the incident, the actual security implications remained minimal. The attacker wallets containing substantial amounts have been flagged by security services, further limiting the perpetrators' ability to convert or utilize their meager gains. 

This incident highlights both the vulnerability of open-source ecosystems to social engineering attacks and the potential for widespread impact even when financial motivation proves unsuccessful.
Read more »
Supply-Chain Attack
Breach attack cyberattacks trending news Data Breach News Supply-Chain Attack

Hackers Breach Cyberhaven’s Chrome Extension in Supply-Chain Attack, Exfiltrating Sensitive Data

Hackers compromised Cyberhaven’s Chrome extension in a suspected supply-chain attack, publishing a malicious update capable of stealing customer passwords and session tokens. The attack raised serious concerns about the security of widely-used browser extensions. Cyberhaven, a data-loss prevention startup, confirmed the incident but withheld specific technical details about the breach.

According to an email sent to affected customers and later shared by security researcher Matt Johansen, the attack occurred during the early hours of December 25. Hackers reportedly gained access to a company account and used it to push a malicious update (version 24.10.4) to unsuspecting users. This update potentially allowed attackers to exfiltrate sensitive information, such as authenticated session tokens, cookies, and customer credentials.

The breach was detected later that day by Cyberhaven's internal security team, who immediately removed the compromised extension from the Chrome Web Store. A secure version (24.10.5) was released shortly afterward to mitigate the impact and restore user confidence. However, the rapid timeline of the attack highlights the challenges companies face in responding to supply-chain breaches.

Impact on Corporate Users

Cyberhaven’s products are widely used by over 400,000 corporate customers to monitor for data exfiltration and cyber threats. Affected organizations include a mix of prominent enterprises and technology leaders, such as:

  • Snowflake: Cloud data platform provider
  • Canon: Imaging and optical solutions company
  • Motorola: Telecommunications and consumer electronics firm
  • Reddit: Social media and online forum giant
  • AmeriHealth: Healthcare insurance provider
  • Cooley: International law firm
  • IVP: Investment management company
  • DBS: Leading banking group in Asia
  • Kirkland & Ellis: Prestigious global law firm
  • Upstart: AI-powered lending platform

Although Cyberhaven has refrained from disclosing the exact number of customers impacted, the company strongly advised all users to take immediate precautionary steps. These included revoking and rotating passwords, regenerating API tokens, and thoroughly reviewing system logs for any signs of malicious activity.

Security Weaknesses Exploited

The attack shed light on a critical security lapse. Cyberhaven disclosed that the compromised account was the sole administrator for the Google Chrome Store, granting attackers full control over extension updates. However, the exact method used to breach this account remains unclear. The incident has prompted the company to launch a comprehensive security review, with plans to implement stricter safeguards for its account management and extension distribution processes.

To aid in the investigation, Cyberhaven has engaged Mandiant, a leading incident response firm, and is collaborating with federal law enforcement agencies. Early findings suggest the breach was part of a broader campaign targeting multiple Chrome extension developers, affecting extensions with tens of thousands of users.

Insights from Experts

Jaime Blasco, CTO of Nudge Security, emphasized that the attack appeared opportunistic rather than targeted specifically at Cyberhaven. "It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers. I think they went after the extensions that they could based on the developers’ credentials that they had," Blasco explained.

Cyberhaven echoed this assessment, pointing to public reports that suggest the attack extended across multiple organizations. While the full scope of the campaign and the identity of the perpetrators remains unclear, the incident underscores the importance of securing developer credentials and implementing rigorous monitoring processes for software supply chains.

As supply-chain attacks continue to evolve, this breach serves as a stark reminder for organizations to remain vigilant and proactive in securing their digital ecosystems.

Read more »
Subscribe to: Comments (Atom)