Security News

In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said.

British Airways, BBC and Boots have all been served an ultimatum after they were hit with a supply-chain attack by the ransomware group Clop. In February 2023, Clop claimed responsibility for a supply-chain attack that affected more than 130 organizations, including data belonging to CHS Healthcare patients.

Stealer logs represent one of the primary threat vectors for modern companies. Threat actors who purchase stealer logs have the responsibility of distributing the malware to victims.

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" - including the aforementioned British trio - had their information stolen.

Integrating proprietary and open-source code, APIs, user interfaces, application behavior, and deployment workflows creates an intricate composition in modern applications. Any vulnerabilities within this software supply chain can jeopardize your and your customers' safety.

TechRepublic Premium Bring your own device policy PURPOSE The purpose of this Bring your own device policy from TechRepublic Premium is to provide requirements for BYOD usage and establish the steps that both users and the IT department should follow to initialize, support and remove devices from company access. These requirements must be followed as documented in order to protect company systems .....

Google on Wednesday announced the 0.1 Beta version of GUAC for organizations to secure their software supply chains. GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.

In 2021, the Biden Administration published the Executive Order on Improving the Nation's Cybersecurity, setting off an agency-wide security initiative with the ultimate objective of standardizing security requirements across the Department of Defense and the Federal Civilian Executive Branch supply chain. These revisions point to a wider adoption of the NIST SP 800-171 and 800-53 controls, meaning that organizations contracting across the FCEB supply chain should start reviewing their current security posture in preparation.

Like PyPI for Pythonistas, Gems for Ruby fans, NPM for JavaScript programmers, or LuaRocks for Luaphiles, Packagist is a repository where community contributors can publish details of PHP packages they've created. Unlike PyPI, which provides its own servers where the actual library code is stored, Packagist links to, but doesn't itself keep copies of, the code you need to download. There's an upside to doing it this way, notably that projects that are managed via well-known source code services such as GitHub don't need to maintain two copies of their official releases, which helps avoid the problem of "Version drift" between the source code control system and the packaging system.

Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture. 3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.