Security News

Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS potentially impacting 12.7% of all websites on the internet. CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries stored publicly on GitHub, making it the second-largest JavaScript CDN. The vulnerability exploits comprised publishing packages to Cloudflare's CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution.

On Wednesday, Atlas VPN released a report using Identity Theft Resource Center data, outlining personal data breaches for the first half of 2021. "Millions of individuals and organizations are affected every day by cyberattacks that threaten to steal sensitive data. Even though more people have become aware of cyber risks, hackers develop new techniques and malware to stay ahead of defense technologies," reads a portion of the blog post written by William S., an Atlas VPN publisher and cybersecurity researcher.

An unknown threat actor has compromised the servers of Mongolian certificate authority MonPass and abused the organization's website for malware distribution, according to security researchers at Avast. A major CA in East Asia, MonPass appears to have been breached at least six months ago, with the attackers returning to a compromised public web server approximately eight times.

These types of email attacks rely on simple language and exploit human nature to scam their victims, making detection difficult, says Cisco Talos. The Business Email Compromise attack is a popular tactic among cybercriminals.

Email is one of the most popular tools exploited by cybercriminals to launch attacks against organizations. One particular tactic favored by criminals is the Business Email Compromise in which the scammer spoofs a trusted contact to defraud a company out of money.

Malicious hackers are exploiting an old VPN security flaw to compromise SonicWall SRC devices, according to a warning from security vendor CrowdStrike. The vulnerability in question, tracked as CVE-2019-7481, was originally patched by SonicWall back in 2019 but CrowdStrike is warning that the firmware updates did not properly mitigate the issue on legacy SRA devices.

Don't miss today's live webinar to learn how you can better stop Vendor Email Compromise attacks when your partners or suppliers have been compromised or spoofed. What is VEC. The weakness in email security.

ESET has published details of an advanced persistent threat crew that appears to have deployed recent supply chain attack methods against targets including "Electronics manufacturers," although it didn't specify which. "Victims of its campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," said ESET in a research report published today that names the APT crew as Gelsemium.

Belgium's Federal Public Service Interior has suffered a "Complex, sophisticated and targeted cyberattack." When Microsoft released out-of-band security updates for Exchange Server in early March to fix zero-day vulnerabilities exploited by the Hafnium threat actor, the FBS Interior called in the Center for Cybersecurity Belgium to help with the patching of their Exchange servers.

Each one of these supply chain attacks targeted a different piece of implicitly trusted infrastructure-infrastructure that you may or not be paying attention to as a potential target in your organization. Package squatting via software package repositories.