Security News

So we though we'd take a quick look back at some of the major issues we covered over the last couple of weeks, and reiterate the serious security lessons we can learn from them. If you are ever stuck with doing a data breach notification, don't try to rewrite history to your marketing advantage.

Dec. 31, 2022, the PyTorch machine learning framework announced on its website that one of its packages had been compromised via the PyPI repository. According to the PyTorch team, a malicious torchtriton dependency package was uploaded to the PyPI code repository on Friday, Dec. 30, 2022, at around 4:40 p.m. The malicious package had the same package name as the one shipped on the PyTorch nightly package index.

Now there are new third party risk assessment strategies, services and tools that can help identify security "Weak points" in your company's supply chain. In 2021, BlueVoyant, a cybersecurity provider, reported that 98% of organizations it had surveyed said they had been impacted by a supply chain security breach.

Software development isn't only about code; more importantly, it's driven by a set of best practices and guidelines that help us write better and more secure software. Like all large software companies, Microsoft has developed its own set of policies and procedures to implement approaches like its Secure Software Development Lifecycle.

Sadly, that's long merely in terms of time, not long in terms of technical complexity or the number of links in the chain itself. In the early 2010s, a web analytics company called Cockpit offered a free web marketing and analytics service.

An Iranian advanced persistent threat actor known as Agrius has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, codenamed Fantasy by ESET, is believed to have been delivered via a supply chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022.

The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. In this campaign, Agrius used a new wiper named 'Fantasy' hidden inside a software suite created by an Israeli vendor.

Three different security flaws have been disclosed in American Megatrends MegaRAC Baseboard Management Controller software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage," firmware and hardware security company Eclypsium said in a report shared with The Hacker News.

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code. The privilege escalation flaw, dubbed "Hell's Keychain" by cloud security firm Wiz, has been described as a "First-of-its-kind supply-chain attack vector impacting a cloud provider's infrastructure."

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code. The privilege escalation flaw, dubbed "Hell's Keychain" by cloud security firm Wiz, has been described as a "First-of-its-kind supply-chain attack vector impacting a cloud provider's infrastructure."