Security News

Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.

The maintainers of Python Package Index last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the Homebrew Cask repository and Cloudflare's CDNJS library.

One expert offers ways to remove the bullseye from supply vendors. In his Help Net Security article, How can a business ensure the security of their supply chain?, Reed specifically focused on Merrit's concern about making sure supply-chain vendors are putting forth the effort to meet security standards.

Businesses have connections to other businesses, who supply them with goods, and whom they supply with goods - both parts and software. In many cases, a company has its own supply chain while simultaneously being part of the supply chain for other, probably larger, businesses.

Worried about supply chain attacks? Tom Merritt can help you understand your risk. Whether its Stuxnet, SolarWinds or Microsoft Exchange, chances are you've read about supply chain attacks.

Worried about supply chain attacks? Tom Merritt has answers for you.

Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet. CDNJS is a free and open-source content delivery network that serves about 4,041 JavaScript and CSS libraries, making it the second most popular CDN for JavaScript after Google Hosted Libraries.

U.S. technology firm Kaseya, which is firefighting the largest ever supply-chain ransomware strike on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware. While initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability in the software was leveraged to push ransomware to Kaseya's customers.

A ransomware attack against a single company's software product is having a ripple effect across more than 1,000 organizations. The supply chain nature of Kaseya's business means that far more companies have now been caught in the aftermath of the attack.

Since the SolarWinds' supply chain attack, there has been an increased focus on how organizations of all sizes ensure the security of their suppliers. In the first quarter of 2021, 137 organizations reported experiencing supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks rose 42% from the previous quarter.