Security News > 2022 > September

The U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency have released tips today on securing the software supply chain. "Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

Though you may be able to remove passwords from many enterprise components, a large portion of third-party providers, government portals, business suppliers, and SaaS services will still rely primarily on password-based accounts. There is no obvious policy to prevent reusing corporate LDAP passwords in online services, or sharing the same passwords across multiple web accounts.

Blue badges are highly coveted as Instagram provides them to accounts it verified to be authentic, representing a public figure, celebrity, or brand. The spear emails in the recently observed phishing campaign inform recipients that they Instagram reviewed their accounts and deemed them eligible for a blue badge.

The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control infrastructure this month, a development that alludes to an increase in the group's operational tempo. "BianLian has also targeted SonicWall VPN devices for exploitation, another common target for ransomware groups," [redacted] researchers Ben Armstrong, Lauren Pearce, Brad Pittack, and Danny Quist said.

Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email.

Neopets has released details about the recently disclosed data breach incident that exposed personal information of more than 69 million members. Findings of the investigation launched on July 20, 2022 revealed that attackers had access to the Neopets IT systems from January 3, 2021 until July 19, 2022.

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services credentials, posing a major security risk. "Over three-quarters of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.

Massive amounts of private data - including more than 300,000 biometric digital fingerprints used by five mobile banking apps - have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.

The attack infrastructure used to target Cisco in the May 2022 incident was also employed against an attempted compromise of an unnamed workforce management solutions holding company a month earlier in April 2022. Initial access to the company's IT network was made possible by using stolen Virtual Private Network credentials, followed by leveraging off-the-shelf tools for lateral movement and gaining deeper access into the victim's environment.

Researchers at Symantec's Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android. The threat analysts highlight three notable cases in their report where the exposed AWS tokens could have had catastrophic consequences for both authors and users of the vulnerable apps.