Security News > 2022 > February

More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months - a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications.

The Iranian advanced persistent threat Charming Kitten is sharpening its claws with a new set of tools, including a novel PowerShell backdoor and related stealth tactics, that show the group evolving yet again. Researchers at cybersecurity firm Cybereason discovered the tools, which include a backdoor they dubbed "PowerLess Backdoor," as well as an evasive maneuver to run the backdoor in a.NET context rather than as one that triggers a PowerShell process, the Cybereason Nocturnus Team wrote in a report published Tuesday.

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer. UEFI software is an interface between a device's firmware and the operating system, which handles the booting process, system diagnostics, and repair functions.

A critical vulnerability in Samba, a widely used open source implementation of the Server Message Block networking protocol, could allow attackers to execute arbitrary code as root on affected Samba installations. Several updated versions of Samba have been released on Monday, fixing CVE-2021-44142 and two other flaws, but since the software is included in most Linux and Unix-like operating systems, users of those are advised to keep an eye out for specific updates by those developer teams.

There is a live cross-site scripting vulnerability in takedowns website DMCA-dot-com's user interface. Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

Some vendors have even begun to claim these measures as a form of Zero Trust, a popular idea where organizations should not trust any entity and provide access to its applications and data until its risk levels are verified. While most of us understand Zero Trust conceptually, the path to Zero Trust is a complex and constantly evolving journey.

Like many concepts in cyber-security, Zero Trust has come to prominence recently. The concept is reckoned to have first been used in the mid-1990s, though it came to prominence around 2010 and has really started to take off in the past three years or so.

For the business the result is easier in some ways because you can measure it in the form of revenue and net income. The real challenge for the CISO is one of becoming in essence the CEO of the security business and determining how to effectively motivate and work with and through every employee toward a common result - enabling the business while achieving and maintaining an appropriate level of security.

The lack of one remains the primary obstacle for organizations that want to implement effective security programs-and additional adjustments will be required for success in the new year. While a little less than half of security leaders are currently prioritizing zero trust principles as part of their security strategy, we'll see that number cross the halfway threshold by the end of 2022.

The product security practices we rely on are simply not built for today's devices, and for the most part, they are static and limited. Cybellum's Product Security Lifecycle Platform enables device manufacturers to secure their products throughout their entire life - from first design to operational use, and years after.