Security News
In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. As reported by BleepingComputer last week, Codecov had suffered a supply-chain attack that went undetected for over 2-months.
Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said in a note acknowledging the severity of the breach.
In a new report, X-Force said it recently discovered a series of phishing emails targeting 44 companies across 14 countries, all involved in the coronavirus vaccine cold chain, an aspect of the overall supply chain that ensures the safety of vaccines transported and stored in cold environments. Seen last September, the phishing campaign deploys emails spoofing a business executive from Haier Biomedical, a legitimate member company of the COVID-19 vaccine supply chain and reportedly the world's only complete cold chain provider.
DOWNSTREAM ISSUES. The result is that under-resourced teams need to manage vulnerabilities that may or may not be relevant within hundreds of libraries, possibly within many different apps, and always with the possibility that library updates may cause further downstream issues. "Failure to keep libraries updated over time not only increases risk to an organization but also makes library updates much more difficult and time-consuming when they are finally done. When a library stays dormant in an application for multiple years, any new vulnerability is difficult to fix because so much code has been built over it."
Roid smartphones from Gigaset have been infected by malware direct from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware, say researchers and users.
Attackers tried to insert backdoor into PHP source codeThe PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. The growing threat to CI/CD pipelinesBy hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely.
The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it is working with other agencies, including the Cybersecurity and Infrastructure Security Agency, to raise awareness of the supply chain issue.
Open source web programming language PHP narrowly avoided a potentially dangerous supply chain attack over the weekend. In theory, anyone who downloaded the very latest "Still in development" version of PHP on Sunday 2021-03-28, compiled it, and installed it on a real-life, internet facing web server could have been at risk.
A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide. There's much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software.
Accenture and Ripjar are collaborating with Royal Dutch Shell to further enhance risk screening within its global supply chain using artificial intelligence. Shell is leveraging Accenture's industry experience and risk expertise to configure Ripjar's AI technology for analysis of its supply chain.