Security News
In 2020 attackers were observed pivoting their attacks to businesses for which global COVID-19 response efforts heavily relied, such as hospitals, medical and pharmaceutical manufacturers, as well as energy companies powering the COVID-19 supply chain. "In essence, the pandemic reshaped what is considered critical infrastructure today, and attackers took note. Many organizations were pushed to the front lines of response efforts for the first time - whether to support COVID-19 research, uphold vaccine and food supply chains, or produce personal protective equipment," said Nick Rossmann, Global Threat Intelligence Lead, IBM Security X-Force.
Today, developers at small or large companies use package managers to download and import libraries that are then assembled together using build tools to create a final app. For these apps, companies will often use private libraries that they store inside a private package repository, hosted inside the company's own network.
Supply chain attacks, ransomware, data extortion and nation-state threats prove to be more prolific than ever, a CrowdStrike report suggests. Among a popular vector for cybercriminals is the supply chain as it allows malicious actors to propagate multiple downstream targets from a single intrusion.
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. China's exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter.
These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech firms and walk away with over six-figures in bug bounty rewards. Birsan tells BleepingComputer he is not behind these copycat "Research" packages, although he did admit to uploading a few more packages today under his real npm account.
These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech firms and walk away with over six-figures in bug bounty rewards. Birsan tells BleepingComputer he is not behind these copycat "Research" packages, although he did admit to uploading a few more packages today under his real npm account.
SecurityWeek will host its 2021 Supply Chain Security Summit as a virtual event on March 10, 2021. In the wake of the SolarWinds mega-hack that continues to unravel, software supply chain security and fragility is again on the front-burner for enterprise security decision makers.
These installers-such as Python Package Index for Python or npm and the npm registry for Node-are usually tied to public code repositories where anyone can freely upload code packages for others to use, Birsan noted. Birsan decided to answer this question last summer while attempting to hack PayPal with another ethical hacker, Justin Gardner, who shared with him "An interesting bit of Node.js source code found on GitHub," Birsan said.
In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution. The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources.
A researcher managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel software supply chain attack. Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.