Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label supply chain attacks. Show all posts
VoidLink Framework
Advanced Persistent Threats Cloud Infrastructure Threats Cloud Security Container Security Cyber Threat Intelligence malware supply chain attacks VoidLink Framework

VoidLink Malware Poses Growing Risk to Enterprise Linux Cloud Deployments


 

A new cybersecurity threat has emerged beneath the surface of the modern digital infrastructure as organizations continue to increase their reliance on cloud computing. Researchers warn that a subtle but dangerous shift is occurring beneath the surface. 

According to Check Point Research, a highly sophisticated malware framework known as VoidLink, is being developed by a group of cyber criminals specifically aimed at infiltrating and persisting within cloud environments based on Linux. 

As much as the industry still concentrates on Windows-centric threats, VoidLink's appearance underscores a strategic shift by advanced threat actors towards Linux-based systems that are essential to the runtime of cloud platforms, containerized workloads, and critical enterprise services, even at a time when many of the industry's defensive focus is still on Windows-centric threats. 

Instead of representing a simple piece of malicious code, VoidLink is a complex ecosystem designed to deliver long-term, covert control over compromised servers by establishing long-term, covert controls over the servers themselves, effectively transforming cloud infrastructure into an attack vector all its own. 

There is a strong indication that the architecture and operational depth of this malware suggests it was designed by well-resourced, professional adversaries rather than opportunistic criminals, posing a serious challenge for defenders who may not know that they are being silently commandeered and used for malicious purposes.

Check Point Research has published a detailed analysis of VoidLink to conclude that it is not just a single piece of malicious code; rather, it is a cloud-native, fully developed framework that is made up of customized loaders, implants, rootkits, and a variety of modular plugins that allows operators to extend, modify, and repurpose its functionality according to their evolving operational requirements. 

Based on its original identification in December 2025, the framework was designed with a strong emphasis on dependability and adaptability within cloud and containerized environments, reflecting the deliberate emphasis on persistence and adaptability within the framework. 

There were many similarities between VoidLink and Cobalt Strike's Beacon Object Files model, as the VoidLink architecture is built around a bespoke Plugin API that draws conceptual parallels to its Plugin API. There are more than 30 modules available at the same time, which can be shifted rapidly without redeploying the core implant as needed. 

As the primary implant has been programmed in Zig, it can detect major cloud platforms - including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, and Tencent - and adjust its behavior when executed within Docker containers or Kubernetes pods, dynamically adjusting itself accordingly. 

Furthermore, the malware is capable of harvesting credentials linked to cloud services as well as extensively used source code management platforms like Git, showing an operational focus on software development environments, although the malware does not appear to be aware of the environment. 

A researcher has identified a framework that is actively maintained as the work of threat actors linked to China, which emphasizes a broader strategic shift away from Windows-centric attacks toward Linux-based attacks which form the basis for cloud infrastructures and critical digital operations, and which can result in a range of potential consequences, ranging from the theft of data to the compromise of large-scale supply chains. 

As described by its developers internally as VoidLink, the framework is built as a cloud-first implant that uses Zig, the Zig programming language to develop, and it is designed to be deployed across modern, distributed environments. 

Depending on whether or not a particular application is being executed on Docker containers or Kubernetes clusters, the application dynamically adjusts its behavior to comply with that environment by identifying major cloud platforms and determining whether it is running within them. 

Furthermore, the malware has been designed to steal credentials that are tied to cloud-based services and popular source code management systems, such as Git, in addition to environmental awareness. With this capability, software development environments seem to be a potential target for intelligence collection, or to be a place where future supply chain operations could be conducted.

Further distinguishing VoidLink from conventional Linux malware is its technical breadth, which incorporates rootkit-like techniques, loadable kernel modules, and eBPF, as well as an in-memory plugin system allowing for the addition of new functions without requiring people to reinstall the core implant, all of which is supported by LD_PRELOAD. 

In addition to adapting evasion behavior based on the presence of security tooling, the stealth mechanism also prioritizes operational concealment in closely monitored environments, which in turn alters its evasion behavior accordingly. 

Additionally, the framework provides a number of command-and-control mechanisms, such as HTTP and HTTPS, ICMP, and DNS tunneling, and enables the establishment of peer-to-peer or mesh-like communication among compromised hosts through the use of a variety of command-and-control mechanisms. There is some evidence that the most components are nearing full maturity.

A functional command-and-control server is being developed and an integrated web-based management interface is being developed that facilitates centralized control of the agents, implants, and plugins by operators. To date, no real-world infection has been confirmed. 

The final purpose of VoidLink remains unclear as well, but based on its sophistication, modularity, and apparent commercial-grade polish, it appears to be designed for wider operational deployment, either as a tailored offensive tool created for a particular client or as a productized offensive framework that is intended for broader operational deployment. 

Further, Check Point Research has noted that VoidLink is accompanied by a fully featured, web-based command-and-control dashboard that allows operators to do a centralized monitoring and analysis of compromised systems, including post-exploitation activities, to provide them with the highest level of protection. 

Its interface, which has been localized for Chinese-language users, allows operations across familiar phases, including reconnaissance, credential harvesting, persistence, lateral movement, and evidence destruction, confirming that the framework is designed to be used to engage in sustained, methodical campaigns rather than opportunistic ones.

In spite of the fact that there were no confirmed cases of real-world infections by January 2026, researchers have stated that the framework has reached an advanced state of maturity—including an integrated C2 server, a polished dashboard for managing operations, and an extensive plugin ecosystem, which indicates that its deployment could be imminent.

According to the design philosophy behind the malware, the goal is to gain long-term access to cloud environments and keep a close eye on cloud users. This marks a significant step up in the sophistication of Linux-focused malware. It was argued by the researchers in their analysis that VoidLink's modular plug-ins extend their reach beyond cloud workloads to the developer and administrator workstations which interact directly with these environments.

A compromised system is effectively transformed into a staging ground that is capable of facilitating further intrusions or potential supply chain compromises if it is not properly protected. Their conclusion was that this emergence of such an advanced framework underscores a broader shift in attackers' interest in Linux-based cloud and container platforms, away from traditional Windows-based targets. 

This has prompted organizations to step up their security efforts across the full spectrum of Linux, cloud, and containerized infrastructures, as attacks become increasingly advanced. Despite the fact that VoidLink was discovered by chance in the early days of cloud adoption, it serves as a timely reminder that security assumptions must evolve as rapidly as the infrastructure itself. 

Since attackers are increasingly investing in frameworks built to blend into Linux and containerized environments, organizations are no longer able to protect critical assets by using perimeter-based controls and Windows-focused threat models. 

There is a growing trend among security teams to adopt a cloud-aware defense posture that emphasizes continuous monitoring, least-privilege access, and rigorous monitoring of the deployment of development and administrative endpoints that are used for bridging on-premise and cloud platforms in their development and administration processes. 

An efficient identity management process, hardened container and Kubernetes configurations, and increased visibility into east-west traffic within cloud environments can have a significant impact on the prevention of long-term, covert compromises within cloud deployments.

There is also vital importance in strengthening collaboration between the security, DevOps, and engineering teams within the platform to ensure that detection and response capabilities keep pace with the ever-changing and adaptive threat landscape. 

Modern enterprises have become dependent on digital infrastructure to support the operation of their businesses, and as frameworks like VoidLink are closer to real-world deployment, investing in Linux and cloud security at this stage is important not only for mitigating emerging risks, but also for strengthening the resilience of the infrastructure that supports them.
Read more »
supply chain attacks
Crypto-Funded Crime Cyber Extortion cyber threat Data Exfiltration Helpdesk Social Engineering Insider Threats Ransomware Retail Cyber Resilience supply chain attacks

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate

 


Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts. 

There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly.

In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school. 

In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously. 

In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others. 

It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. 

In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others. 

This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered. 

According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry. 

The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter. 

There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance. 

According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns. 

In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded. 

It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses. 

Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research. 

It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks. 

During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others.

As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises. 

The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC. 

In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning. 

There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed. 

During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage. 

Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure. 

Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes. 

During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public. 

A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses. 

RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this. 

During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning. 

There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces. 

In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode. 

A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses. 

Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it. 

There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move. 

Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.
Read more »
supply chain security
Cyber Attacks Ransomware attack Ransomwares Software Providers Supply Chain supply chain attacks supply chain security

Ransomware Attack on Blue Yonder Disrupts Global Supply Chains

 

Blue Yonder, a leading supply chain software provider, recently experienced a ransomware attack that disrupted its private cloud services. The incident, which occurred on November 21, 2024, has affected operations for several high-profile clients, including major grocery chains in the UK and Fortune 500 companies. While the company’s Azure public cloud services remained unaffected, the breach significantly impacted its managed services environment. The attack led to immediate operational challenges for key customers. UK supermarket chains Morrisons and Sainsbury’s were among the most affected. 

Morrisons, which operates nearly 500 stores, reported delays in the flow of goods due to the outage. The retailer activated backup systems but acknowledged that its operations were still disrupted. Sainsbury’s similarly implemented contingency plans to address the situation and minimize the impact on its supply chain. In the United States, Blue Yonder serves prominent grocery retailers such as Kroger and Albertsons, though these companies have not confirmed whether their systems were directly affected. 

Other notable clients, including Procter & Gamble and Anheuser-Busch, also declined to comment on any disruptions they might have faced as a result of the attack. In response to the breach, Blue Yonder has enlisted the help of external cybersecurity firms to investigate the incident and implement stronger defenses. The company has initiated forensic protocols to safeguard its systems and prevent further breaches. While recovery efforts are reportedly making steady progress, Blue Yonder has not provided a timeline for full restoration. The company continues to emphasize its commitment to transparency and security as it works to resolve the issue. 

This attack highlights the growing risks faced by supply chain companies in an era of increasing cyber threats. Disruptions like these can have widespread consequences, affecting both businesses and consumers. A recent survey revealed that 62% of organizations experienced ransomware attacks originating from software supply chain vulnerabilities within the past year. Such findings underscore the critical importance of implementing robust cybersecurity measures to protect against similar incidents. 

As Blue Yonder continues its recovery efforts, the incident serves as a reminder of the potential vulnerabilities in supply chain operations. For affected businesses, the focus remains on mitigating disruptions and ensuring continuity, while industry stakeholders are left grappling with the broader implications of this growing threat.
Read more »
supply chain attacks
cyber resilience Cyber Security Cybersecurity Threats Cyble research dark web breaches IT Security software vulnerabilities supply chain attacks

Cyble Research Reveals Near-Daily Surge in Supply Chain Attacks

 

The prevalence of software supply chain attacks is on the rise, posing significant threats due to the extensive impact and severity of such incidents, according to threat intelligence researchers at Cyble.

Within a six-month span from February to mid-August, Cyble identified 90 claims of supply chain breaches made by cybercriminals on the dark web. This averages nearly one breach every other day. Supply chain attacks are notably more costly and damaging than other types of cyber breaches, making even a small number of these attacks particularly detrimental.

Cyble’s blog highlights that while infiltrations of an IT supplier’s codebase—similar to the SolarWinds incident in 2020 and Kaseya in 2021—are relatively uncommon, the software supply chain’s various components, including code, dependencies, and applications, remain a continuous source of vulnerabilities. These persistent risks leave all organizations exposed to potential cyberattacks.

Even when supply chain breaches do not compromise codebases, they can still result in the exposure of sensitive data, which attackers can exploit to breach other environments through methods such as phishing, spoofing, and credential theft. The interconnected nature of the physical and digital supply chain means that any manufacturer or supplier involved in downstream distribution could be considered a potential cyber risk, according to the researchers.

In their 2024 analysis, Cyble researchers examined the frequency and characteristics of supply chain attacks and explored defenses that can mitigate these risks.

Increasing Frequency of Supply Chain Attacks

Cyble’s dark web monitoring revealed 90 instances of cybercriminals claiming successful supply chain breaches between February and mid-August 2024.

IT service providers were the primary targets, accounting for one-third of these breaches. Technology product companies were also significantly impacted, experiencing 14 breaches. The aerospace and defense, manufacturing, and healthcare sectors followed, each reporting between eight and nine breaches.

Despite the concentration of attacks in certain industries, Cyble’s data shows that 22 out of 25 sectors tracked have experienced supply chain attacks in 2024. The U.S. led in the number of breaches claimed on the dark web, with 31 incidents, followed by the UK with 10, and Germany and Australia with five each. Japan and India each reported four breaches.

Significant Supply Chain Attacks in 2024

Cyble’s blog detailed eight notable attacks, ranging from codebase hijacks affecting over 100,000 sites to disruptions of essential services. Examples include:

  • jQuery Attack: In July, a supply chain attack targeted the JavaScript npm package manager, using trojanized versions of jQuery to exfiltrate sensitive form data from websites. This attack impacted multiple platforms and highlighted the urgent need for developers and website owners to verify package authenticity and monitor code for suspicious modifications.
  • Polyfill Attack: In late June, a fake domain impersonated the Polyfill.js library, injecting malware into over 100,000 websites. This malware redirected users to unauthorized sites, underscoring the security risks associated with external code libraries and the importance of vigilant website security.
  • Programming Language Breach: The threat actor IntelBroker claimed unauthorized access to a node package manager (npm) and GitHub account related to an undisclosed programming language, including private repositories with privileges to push and clone commits.
  • CDK Global Inc. Attack: On June 19, a ransomware attack targeted CDK Global Inc., a provider of software to automotive dealerships, disrupting sales and inventory operations for weeks across North American auto dealers, including major networks like Group1 Automotive Inc. and AutoNation Inc.
  • Access to 400+ Companies: IntelBroker also claimed in June to have access to over 400 companies through a compromised third-party contractor, with data access to platforms like Jira, GitHub, and AWS, potentially affecting large organizations such as Lockheed Martin and Samsung.
Mitigating Supply Chain Risks through Zero Trust and Resilience

To counter supply chain attacks, Cyble researchers recommend adopting zero trust principles, enhancing cyber resilience, and improving code security. Key defenses include:

  1. Network microsegmentation
  2. Strong access controls
  3. Robust user and device identity authentication
  4. Encrypting data both at rest and in transit
  5. Ransomware-resistant backups that are “immutable, air-gapped, and isolated”
  6. Honeypots for early detection of breaches
  7. Secure configuration of API and cloud service connections
  8. Monitoring for unusual activity using tools like SIEM and DLP
  9. Regular audits, vulnerability scanning, and penetration testing are also essential for maintaining these controls.

Enhancing Secure Development and Third-Party Risk Management

Cyble also emphasizes best practices for code security, including developer audits and partner assessments. The use of threat intelligence services like Cyble’s can further aid in evaluating partner and vendor risks.

Cyble’s third-party risk intelligence module assesses partner security across various areas, such as cyber hygiene, dark web exposure, and network vulnerabilities, providing specific recommendations for improvement. Their AI-powered vulnerability scanning also helps organizations identify and prioritize their own web-facing vulnerabilities.

As security becomes a more critical factor in purchasing decisions, vendors will likely need to improve their security controls and documentation to meet these demands, the report concludes.
Read more »
US Cybersecurity
Breach CISA critical infrastructure risk Cyber Security Data Analytics Information Security supply chain attacks US Cybersecurity

CISA Investigates Sisense Breach: Critical Infrastructure at Risk

 

In the fast-paced landscape of cybersecurity, recent events have once again brought to light the vulnerabilities that critical infrastructure organizations face. The breach of data analytics company Sisense, under investigation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the importance of robust security measures in protecting sensitive data and systems. 

Sisense, a prominent American business intelligence software company, found itself at the center of a security incident impacting not only its own operations but also critical infrastructure sector organizations across the United States. 

With offices in New York City, London, and Tel Aviv, and a clientele including major players like Nasdaq, ZoomInfo, Verizon, and Air Canada, the breach sent shockwaves through the cybersecurity community. CISA's involvement underscores the severity of the situation, with the agency actively collaborating with private industry partners to assess the extent of the breach and its implications for critical infrastructure. 

As investigations unfold, the focus is on understanding the nature of the compromise and mitigating potential risks to affected organizations. In response to the breach, CISA has issued recommendations for all Sisense customers to reset any credentials and secrets that may have been exposed or used to access the company's platform and services.

This proactive measure aims to prevent further unauthorized access and protect sensitive information from exploitation. Sisense's Chief Information Security Officer, Sangram Dash, echoed CISA's advice in a message to customers, emphasizing the importance of promptly rotating credentials used within the Sisense application. This precautionary step aligns with best practices in cybersecurity, where rapid response and mitigation are essential to minimizing the impact of security incidents. 

Additionally, customers are urged to report any suspicious activity related to potentially exposed credentials or unauthorized access to Sisense services to CISA. This collaborative approach between organizations and government agencies is crucial in addressing cybersecurity threats effectively and safeguarding critical infrastructure from harm. The incident involving Sisense is not an isolated event. 

Similar supply chain attacks have targeted critical infrastructure organizations in the past, highlighting the need for heightened vigilance and resilience in the face of evolving cyber threats. One such attack, involving the 3CX breach a year ago, had far-reaching consequences, impacting power suppliers responsible for generating and distributing energy across the grid in the United States and Europe. 

As organizations grapple with the aftermath of the Sisense breach, lessons learned from this incident can inform future cybersecurity strategies. Proactive measures such as continuous monitoring, regular security assessments, and robust incident response plans are essential for mitigating risks and protecting critical infrastructure assets. 

The Sisense breach serves as a wake-up call for the cybersecurity community, emphasizing the interconnected nature of cyber threats and the imperative of collaboration in defending against them. By working together and adopting a proactive stance, organizations can bolster their defenses and safeguard critical infrastructure from cyber adversaries.
Read more »
supply chain attacks
Cyber Culture Cyber defense Cyber Security Data protection Data Retention Employee Training HR Strategies Incident response Security Preparedness supply chain attacks

Boost Cybersecurity: HR's Key Role in Guarding Your Business

 

If your company were to fall victim to ransomware today, whom would you contact? Or perhaps a more pertinent question: How would you go about contacting them? 

This scenario might appear ludicrous, there are  instances where organizations have been immobilized during the initial hours following a breach simply due to the absence of readily available contact information. 

With email and messaging systems rendered inaccessible, communication grinds to a halt, causing confusion among employees, customers, and suppliers alike. What begins as mild panic rapidly escalates into a full-blown crisis.

Commonly, people tend to associate cybersecurity exclusively with the IT or security department. However, safeguarding your company hinges on two crucial factors: the prevailing organizational culture and meticulous planning. This is precisely why some of the most pivotal players in the realm of cyber defense aren't housed within the IT team – they reside within the human resources (HR) department.

The HR team occupies a unique vantage point, enabling them to seamlessly integrate cybersecurity preparedness into the daily operations of an organization. 

Their responsibilities encompass establishing policies and processes to mitigate risks and fostering a business environment equipped to withstand foreseeable challenges, cyberattacks included. Notably, HR teams are also prime targets for hackers, given their role as custodians of sensitive personal information belonging to employees.

Regrettably, the significance of this role often goes unnoticed. Thus, sharing five strategies by which HR can fortify your business against cybercriminals.

1. Foster a Culture of Cybersecurity

Maintaining eternal vigilance is the requisite price for preserving our liberty to navigate the internet. The sheer volume of threats is staggering – recent findings indicate that educational institutions fend off over 2,300 intrusion attempts on average each week, while healthcare organizations combat more than 1,600 attacks. Given the barrage of digital threats, capturing them all becomes an incredibly daunting task. Yet, a robust cybersecurity culture equips an organization to counter these attacks and minimize the scope of damage when they do breach defenses. The challenge lies in uniting everyone under a shared understanding of appropriate online conduct.

To initiate this process, it is imperative to provide training tools that equip employees with the knowledge of permissible and prohibited online behaviors. Most organizations excel in this aspect. However, the implementation of this information on a daily basis often falls short.

The most effective means of ingraining cybersecurity as an integral aspect of individual responsibilities is its incorporation into performance evaluations. Rather than chastising employees for inadvertently clicking on dubious links, the approach should be constructive, focusing on how they uphold their cyber literacy training. Cyber health-check tools can be employed by workers to analyze their online conduct and address vulnerabilities (such as employing identical passwords across multiple platforms or neglecting two-factor authentication). Moreover, these tools can be harnessed to monitor the progress towards cybersecurity objectives at an organizational level.

Regular discourse on safety measures will seamlessly integrate them into the modus operandi of your business.

2. Safeguard Sensitive Information

HR assumes custodial responsibility for some of the most sensitive data within an organization – a fact not lost on hackers. Over the past half-decade, numerous companies have embraced platforms that empower employees to independently manage routine tasks such as vacation requests. However, these third-party platforms carry inherent risks. Cybercriminals often target them through supply chain attacks, cognizant of the potential to access vast troves of data from multiple organizations. In 2021, a widely-used file transfer system fell victim to a breach, compromising over 300 organizations. The University of California was among those affected, with exposed information spanning employees' social security numbers, driver's licenses, and passport details (prompting the UC system to provide its staff with complimentary ID monitoring services).

Primary among the duties of HR professionals is to ensure the confidentiality of employee data. Rigorous due diligence is essential before enlisting the services of any third-party HR provider. Preference should be accorded to entities conforming to international standards (notably SOC 2 and ISO 27001), while online research should uncover any past security incidents associated with the provider. It is equally vital to ascertain the storage and backup mechanisms employed for your data. Depending on your geographical location and industry, compliance with data residency regulations may be obligatory.

3. Rationalize Data Retention Policies

Updating the data retention policy should be a priority for every HR department. Even if your organization's policy isn't documented, a policy nevertheless exists – the default being the indefinite retention of all data. This exposes you to significant risks. The severity of a breach is exacerbated by the volume of data at stake, especially if you retain unnecessary data. Many jurisdictions stipulate limits on the duration for which companies should retain sensitive information – typically around seven years for records pertaining to former employees.

4. Appoint an Incident Commander

While cybersecurity constitutes an ongoing collective responsibility, a designated individual should assume leadership during a breach. In cybersecurity parlance, this figure is known as the incident commander. Despite diverse perspectives on the most suitable course of action, decision-making authority rests with the incident commander.

The qualifications for an incident commander are succinct: they should possess a profound understanding of cybersecurity matters within your organization. Depending on the size of your enterprise, this individual could be a cybersecurity expert, the head of IT, or even an individual like Joanne from the accounting department, provided she has undergone relevant training. Regardless of the appointee's identity, their role should be pre-established, communicated clearly to your team, and ready to be activated in the event of an incident. Given the swiftness with which cybersecurity events unfold – exemplified by instances where hackers gave a mere 45-minute warning prior to disclosing sensitive information – identifying the incident commander ahead of time is critical to minimizing response delays.

5. Conduct Preparedness Drills

Effective cybersecurity hinges on both planning and practice. Numerous studies underscore the fact that individuals struggle to make sound decisions under stress. Much like fire or earthquake drills provide a framework for emergencies, the same principle applies to cybersecurity incidents. Allocate a two-hour window annually to execute a tabletop exercise involving key personnel, simulating the actions to be taken in the event of a hack. During these drills, a designated moderator outlines the attack's nature and scope, while participants collaboratively devise their responses.

Initial attempts at conducting such exercises may result in confusion, yet this is by design. The ensuing scramble highlights deficiencies in your strategies. Over time, these drills become second nature, enhancing your organization's capacity to effectively respond to cyber threats.
Read more »
Third Party Vendors
Cyber Security Supply Chain supply chain attacks supply chain security Third Party Vendors

What Choices Ought to Influence the Supply Chain in 2023?

 

Due to the increase in cybercrime, many businesses are infected by viruses and malware that are distributed to them by vendors and business partners. 

There has not been a definite plan of action that addresses this as of yet. However, new third-party risk assessment techniques, products, and services are now available to find security "weak spots" in the supply chain of your business. 

Threats by supply chain vendors 

BlueVoyant, a cybersecurity provider, reported in 2021 that 98% of organizations surveyed had been impacted by a supply chain security breach. In a global survey of 1,000 chief information officers conducted in 2022, 82% of respondents said their organizations were vulnerable to cyberattacks targeting their supply chains. 

There are multiple reasons for these statistics and concerns. The following stand out:

  • The enormous size of corporate supply chains can include up to 100,000 suppliers for a single business 
  • Different cybersecurity standards are required in different countries 
  • Supplier unpreparedness, lack of knowledge, and lack of resources for sound cybersecurity practices 
  • Lack of understanding of supplier security in areas like purchasing, which frequently issue requests for proposals from suppliers without mentioning the security requirements for conducting business with the company. 

Best practices for supply chain security 

While cybersecurity frameworks provide an excellent overview of general supply chain security requirements, they do not provide a detailed plan for implementation. 

What organizations require is a guide for a multifaceted approach to supply chain security — but no single playbook can meet the needs of every organization. Instead, as organizations develop their own security approaches, leaders should follow supply chain security best practices: 

Become familiar with your data 

It may seem obvious, but it cannot be overstated: you must understand your own data, that is, what type of data your organization stores and how sensitive that data is. Use discovery and classification tools to find databases and files in your organization that contain sensitive data, such as customer data, financial information, health records, etc. 

Conduct a risk assessment of supply chain security 

Simply comprehending your data is insufficient. You must also understand your supply chain thoroughly in order to identify potential security risks and take preventative measures. 

Begin by gathering data on your third-party partners. What security safeguards do they have in place? Consider each partner's level of vulnerability, breadth and depth of data access, and the impact on your organization if their security is compromised. 

Next, evaluate the software and hardware products that your company employs. What are their weaknesses? Also, don't overlook compliance. Examine your organization's current security governance and consider where it may need to pivot. 

Create an incident response plan 

Attacks will occur, and your system will be compromised, no matter how thoroughly you prepare your organization's supply chain security. As a result, supply chain security best practices include more than just prevention — they also include preparation. 

An incident response plan should be a key component of your supply chain security app. This plan should outline everyone's responsibilities as well as all procedures to be followed in the event of a security incident. Make specific plans for data breaches, system shutdowns, and other security interruptions. And don't just write these procedures down. Test them, practice them, and make sure they're ready to go. 

Conclusion 

Because the supply chain is so fragile, maintaining solid supply chain security is a dangerous game. While eliminating all threats is impossible, adhering to best practices in supply chain security will position your organization to anticipate and mitigate their effects.
Read more »
Trojan
Canada Comm100 Data Theft malware Supply Chain Attack supply chain attacks supply chain security Trojan

Trojanized Comm100 Live Chat App Installer Distributed a JavaScript Backdoor

Cybersecurity platform CrowdStrike reported a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The application suffered an attack from 27 September to 29, 2022. 

Additionally, the malicious group actively attacked other sectors of the organizations with the same installer including the industrial, technology, healthcare, manufacturing, telecommunications sectors, and insurance in North America and Europe. 

Canadian application Comm100 facilitates over 200,000 businesses with its customer service and communication products. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. However, the company did not report anything on how many customers got affected by the attack. 

According to the Cybersecurity firm CrowdStrike, the malware was proliferated using a Comm100 installer that was downloadable from the company’s website. On September 26, the installer was signed with legitimate information on the Comm100 desktop agent app. 

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike confirmed. 

Also, a malicious loader DLL called MidlrtMd[.]dll has been used as part of the post-exploitation action. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe). The CrowdStrike believed that the China nexus threat actor is behind the attack because the group previously targeted several Asian online gambling organizations. 

“Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, the aforementioned tactics, techniques, and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors”, CrowdStrike Intelligence customers reported.
Read more »
supply chain attacks
Android AWS iOS Mobile Security supply chain attacks

Over 1800 Mobile Apps Found Exposing AWS Credentials


Experts find hard-coded AWS credentials

Experts have found 1,859 applications across Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials, becoming a major security threat. More than 77% of the apps contain valid AWS access tokens that allow access to private AWS cloud services. 

Mobile apps may contain vulnerabilities in the supply chain that can potentially cause exposure to sensitive data, which can be used by hackers for other attacks. Supply chain vulnerabilities in mobile apps are often added by app developers, intentionally or unintentionally. 

The developers don't know the downside of the security impacts, putting the app users' privacy, as well as the employer and organizations' privacy at risk too. 

Source of the Problem

Researchers at Broadcom Software looked into why and where exactly the AWS access tokens were inside the applications, and whether present in other apps too. They found over half (53%) of the apps were using the same AWS access tokens found in other apps. 

These apps, interestingly, were from different app developers and organizations. This way, the experts found a supply chain vulnerability, it could be traced to a shared library, third-party SDK, or other shared components used in making the apps. 

Why app developers are using hard-coded access keys?

  • Downloading or uploading assets and resources needed for the applications, generally large media files, images, or recordings. 
  • To access configuration files for the app and/or register the device or get device info for cloud storage. 
  • Access cloud services that need authentication, like translation services.
  • For no particular reason, the dead code was used for testing and never removed. 

In one incident discovered by Symantec, an unknown B2B company that offers an intranet and communication platform and also provides a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service. 

It led to the leak of all of its customers' personal information- corporate data and financial records that belonged to more than 15000 medium to large-sized firms. 

How can users stay safe from supply chain attacks?

It is possible to protect yourself from supply chain issues, one can add security scanning solutions to the app development lifecycle and if using an outsourced provider, you can review Mobile App Report Cards, which can notice any malicious app behaviors or vulnerabilities for every launch of the mobile app, can all be helpful in to highlight potential issues. 

If you're an app developer, you can look for a report card that both scans SDKs and frameworks in your apps and finds the source of any vulnerabilities or suspicious behaviors. 




Read more »
zero Day vulnerability
Cyber Attacks RCE Flaw supply chain attacks zero Day vulnerability

Last Year, Brute-Forcing Passwords and ProxyLogon Exploits were Among the Most Common Attack Vectors

 

Last year, brute-forcing passwords and exploiting ProxyLogon vulnerabilities against Microsoft Exchange Server were among the most prominent attack methods. According to ESET's Q3 Threat Report, which covers September to December 2021, while supply chain attacks increased over 2020, the year 2021 was marked by the continuous discovery of zero-day vulnerabilities potent enough to wreak havoc on enterprise systems. The discovery of zero-day flaws in Exchange Server, as well as Microsoft's emergency patches to address on-premise issues, haunted IT admins well into the year.

The end of the year was similarly tumultuous in terms of RDP attacks, which grew in severity throughout 2020 and 2021. Despite the fact that 2021 was no longer distinguished by the chaos of freshly imposed lockdowns and fast migrations to remote work, the data from the final weeks of T3 2021 eclipsed all prior records, amounting to a remarkable yearly surge of 897% in total attack attempts thwarted. The only positive news from the RDP attack front is that the number of targets has been gradually decreasing, albeit the rampage does not appear to be coming to a stop anytime soon. 

Ransomware, previously described as "more aggressive than ever" in the Q4 2020 Threat Report, outperformed the worst predictions in 2021, with attacks on critical infrastructure, outrageous ransom demands, and over US$5 billion in bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone. 

However, the pressure from the opposing side has been increasing as well, as evidenced by increased law enforcement efforts against ransomware and other cybercriminal endeavors. While the intensive crackdown prompted numerous gangs to quit the scene – even providing decryption keys – it appears that other attackers are becoming even more daring: T3 saw the biggest ransom demand yet, US$240 million, tripling the prior report's figure. 

The repercussions of a critical vulnerability in Log4j were also discovered in the last four months of 2021. The remote code execution (RCE) flaw in Log4j, tracked as CVE-2021-44228, received a CVSS severity level of 10.0, sending organizations scrambling to repair the problem. Threat actors immediately began attempting to exploit the flaw.

Despite the fact that the vulnerability was only made public in the last three weeks of 2021, ESET has classified CVE-2021-44228 as one of the top five attack vectors of the year. 

According to the study, there has been a significant increase in Android banking malware, with a 428% increase in 2021 compared to 2020. According to ESET, infection rates connected with Android banking Trojans including SharkBot, Anatsa, Vultur, and BRATA have now surpassed adware levels.
Read more »
supply chain attacks
APT actors Critical Data Cyber Crime Remote Access Trojan supply chain attacks

APT27 Hackers are Backdooring Business Networks in Germany

 

The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.
Read more »
supply chain attacks
Container Images cryptocurrency Cyber Attacks Docker Hub supply chain attacks

Supply Chain Attacks Using Container Images

 

According to cybersecurity firm Aqua Security, a recently discovered crypto mining technique used malicious Docker images to takeover companies' computing resources to mine bitcoin.  

The photos were published to Docker Hub's official repository. The researchers discovered five Docker Hub container images that could be utilised in a supply chain attack against cloud-native systems. Developers use Docker, a prominent platform-as-a-service container provider for Linux and Windows devices, to help them build and package apps. 

According to Assaf Morag, principal data analyst at Aqua Security, the researchers discovered the infected pictures during their routine manual examination. 

"We regularly share this kind of information with Docker Hub and other public registries or repositories (GitHub, Bitbucket, etc)," Morag says. 

"Based on the information we share with Docker Hub, they conduct their investigation and decide whether or not they close the namespace. In this particular case, they closed these namespaces on the same day we had reached out to them. Docker Hub’s reaction and response time are absolutely amazing.” 

The first three containers discovered by the researchers - thanhtudo, thieunutre, and chanquaa - launch the Python script dao.py, which has been used in various past campaigns to obscure harmful container images in Docker Hub via typosquatting. The names of the other two container images are openjdk, and golang are. 

"We haven’t seen any indication that they were used in attacks in the wild but that doesn’t mean that they were or weren’t. Our goal is to shine a bright light on these container images with misleading names, saying that they contain cryptominer which is executed once you run the container, even though there is no indication in the namespace that this is the purpose of these container images." 

These malicious containers are designed to be readily mistaken as legitimate container images, although the Docker Hub accounts responsible for them are not official accounts. 

"Once they are running, they may look like an innocent container. After running, the binary xmrig is executed (MD5: 16572572588c2e241225ea2bf6807eff), which hijacks resources for cryptocurrency mining," the researchers added. 

"I guess you will never log in to the webpage mybunk[.]com, but if the attacker sent you a link to this namespace, it might happen," he says. "The fact is that these container images accumulated 10,000-plus pull, each." 

While it's unknown who's orchestrating the scam, according to the study, the fraudulent Docker Hub account was taken down when Aqua Security alerted Docker. According to Morag, these containers are not directly controlled by a hacker, but a script at the entry point/cmd is designed to launch an automated assault. The assaults, in this case, were confined to stealing computing resources to mine bitcoin. 

Morag added, "When someone runs these container images, there’s a script that 'loads' the mining configuration and executes a binary that is designed to communicate with a mining pool and execute a crypto mining script. In all cases – XMRIG.” 

Attackers are increasingly targeting software supply chains, and they're growing better at concealing their attacks. As a result, businesses should strengthen their security to decrease the chance of falling victim to such an attack. Here are some suggestions to help to enhance the security posture by Aqua Security: 
1. Control access to public registries: When running containers from a public registry, consider the registry a high-risk source for supply chain attacks. Attackers are attempting to dupe developers into unintentionally fetching malicious container images by masquerading them as popular ones. Create a curated internal registry for base container images to minimise risk, and restrict who can access public registries. Implement policies to ensure that container images are verified before they are added to the internal registry. 

2. Scan container images for malware using static and dynamic analysis: When companies utilise static, signature- or pattern-based scanning, sophisticated assaults can easily evade detection. Threat actors, for example, might avoid detection by embedding code in container images that only downloads malware during execution. 

3. Digitally signing container images or utilising other image integrity measures This helps to guarantee that the container images in use are the same ones reviewed and approved.
Read more »
Technology
Cyber Security cyber threat supply chain attacks supply chain security Technology

What is a Supply Chain Attack? Here's How is it Making Your Software Vulnerable

 

Users receive warnings from public and private organizations asking them to be aware of fraud links and sources, to not share their credentials with anybody, and save their sensitive data from dark websites, etc. commonly. However, the sophisticated hacking market is generating a sense of fear in minds of the public with questions like what if the legal software and hardware that makes up your network has been already compromised at the source? Which leads us to our main question: What is a supply chain attack? 

A very common form of cyber-hacking is known as a "supply chain attack”, it is also called a value-chain or third-party attack. This umbrella term ‘supply chain attack’ includes those cyber attacks that target software developers and suppliers so that several clients and customers of the fine products and services can be affected directly. 

By leveraging a single developer or supplier, threat actors or spies can steal its distribution systems and install the application that they want to send to the victims. 

By compromising a single chain, the hackers can well-place intrusion and can successfully can create a springboard to the networks of a supplier's consumers in which thousands of people can be victimized. 

Supply chain attacks have always been understood as daunting tasks. The reason behind this is their consequences can be very severe, a single attack can leave the whole organization with severe vulnerabilities and can break the trust between an organization and the customers. 

"Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology," says Nick Weaver, a security researcher at UC Berkeley's International Computer Science Institute. "You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor." 

In December 2020, the worst face of the supply chain attack had already been witnessed, when it was discovered that the Russian malicious actors later identified as Russian foreign intelligence service (SVR) compromised the software firm SolarWinds and installed malicious code in its IT management tool Orion. With this, hackers attacked at least nine US federal agencies. 

The spy operation ‘SolarWinds’ wasn't unique, there is a list of events that already hit the world’s big companies including a Chinese hacking group known as Barium carrying out at least six supply chain attacks over the past five years. 

In 2017, the Russian threat actors ‘Sandworm’, hijacked the software updates of the Ukrainian accounting software MEDoc, which ultimately inflicted $10 billion in damage worldwide. This attack is the costliest cyberattack in history.

With the available statistics and data, we can conclude that supply chain attacks are a huge problem that's not going away anytime soon. 
Read more »
WhatsApp
German Germany Google Ads malware supply chain attacks WhatsApp

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.
Read more »
supply chain attacks
Cyber Crime GitHub PHP supply chain attacks

PHP Git Server Hacked to Plant Malware in Code Base

 

In the most recent software supply chain assault, the official PHP Git repository was hacked and the code base altered. On Sunday, two malevolent commits were pushed to the php-src Git repository kept up by the PHP team on their git.php.net server. The threat actors had signed off on these commits as though these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov. 

The incident is disturbing considering PHP stays the server-side programming language to control more than 79% of the sites on the Internet. In the noxious commits [1, 2] seen by BleepingComputer, the assailants published a strange change upstream, "fix typo" under the pretence this was a minor typographical amendment. 

As indicated by Bleeping Computer, the code has all the earmarks of being intended to embed a backdoor and make a situation wherein remote code execution (RCE) might be conceivable. Popov said the development team isn't sure precisely how the assault occurred, however, pieces of information show that the official git.php.net server was likely undermined, instead of individual Git accounts. A remark, "REMOVETHIS: sold to zerodium, mid-2017," was included in the script. There is no sign, nonetheless, that the exploit seller has any inclusion in the cyberattack. 

Zerodium's chief executive Chaouki Bekrar named the culprit as a "troll," remarking that "likely, the researcher who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun." The commits were recognized and returned before they made it downstream or affected clients. An investigation concerning the security incident is currently in progress and the team is scouring the repository for some other indications of malevolent activity. Meanwhile, however, the development team has concluded now is the opportune chance to move permanently to GitHub. 

"We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server," Popov said. "Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net." Developers with past write access to the task's repositories will now have to join the PHP group on GitHub.
Read more »
supply chain attacks
Cyber Security GitHub Security Bug SSH supply chain attacks

GitHub Informed Clients of “Potentially Serious” Security Bug

 

GitHub on Monday informed clients that it had found what it described as an “extremely rare, but potentially serious” security bug identified with how some authenticated sessions were handled. On 8th March GitHub signed out all clients that were signed in before March 8th. The precautionary measure was taken seven days after the organization had gotten an underlying report of dubious conduct, from an external party. 

The Microsoft-owned software development platform said the bug was found on March 2 and an underlying patch was carried out on March 5. A subsequent fix was delivered on March 8 and on the evening of that very day the organization chose to invalidate all authenticated sessions to completely eliminate the possibility of exploitation. On Friday, the GitHub team has remediated the security flaw and kept on analyzing the situation over the weekend. The vulnerability being referred to, could be misused in extremely rare circumstances, when a rare condition would happen during the backend request handling process, permitting the session cookie of a logged-in GitHub client to be sent to the software of another client, giving the latter access to the former user’s account.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” says Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.” 

The organization declared that the bug existed on GitHub.com for less than two weeks and it doesn't resemble some other GitHub.com assets or products were impacted as a result of this bug. "We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com. For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement. 

The organization is still analyzing if any project repositories or source code were messed with because of this vulnerability as this kind of authentication vulnerabilities could pave the way for software supply-chain attacks.
Read more »
Subscribe to: Comments (Atom)