Security News

Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack
2023-10-04 11:16

A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77, marking the first time a rogue package has delivered rootkit...

Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793)
2023-09-26 14:48

Software development firm JetBrains has fixed a critical vulnerability in its TeamCity continuous integration and continuous delivery solution, which may allow authenticated attackers to achieve remote code execution and gain control of the server. "As of September 25, 2023, Rapid7 is not aware of in-the-wild exploitation of CVE-2023-42793, and no public exploit code is available," shared Caitlin Condon, head of vulnerability research at Rapid7.

Do You Really Trust Your Web Application Supply Chain?
2023-09-20 10:34

Well, you shouldn’t. It may already be hiding vulnerabilities. It's the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web...

Greater Manchester Police ransomware attack another classic demo of supply chain challenges
2023-09-15 09:45

The UK's Greater Manchester Police has admitted that crooks have got their mitts on some of its data after a third-party supplier responsible for ID badges was attacked. Assistant Chief Constable Colin McFarlane of Greater Manchester Police said: "We are aware of a ransomware attack affecting a third-party supplier of various UK organizations, including GMP, which holds some information on those employed by GMP.".

The rise and evolution of supply chain attacks
2023-09-13 04:00

A supply chain attack is a cyberattack that focuses on a third-party supplier providing essential services or software to the supply chain. In this Help Net Security video, Dick O'Brien, Principal Intelligence Analyst in the Symantec Threat Hunter team, discusses the transformation of supply chain attacks.

Carderbee hacking group hits Hong Kong orgs in supply chain attack
2023-08-22 10:00

A previously unidentified APT hacking group named 'Carderbee' was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets' computers with the PlugX malware. Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer' EsafeNet,' and used in security applications for data encryption/decryption.

Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks
2023-08-17 20:00

Lax policies for package naming on Microsoft's PowerShell Gallery code repository allow threat actors to perform typosquatting attacks, spoof popular packages and potentially lay the ground for massive supply chain attacks. PowerShell Gallery is a Microsoft-run online repository of packages uploaded by the wider PowerShell community, hosting a large number of scripts and cmdlet modules for various purposes.

Triple Extortion Ransomware and the Cybercrime Supply Chain
2023-08-17 14:00

In recent years, ransomware groups have evolved their tactics to not only encrypt data but also exfiltrate it, making it a double-edged weapon for extortion. The rise of data extortion ransomware has coincided with a dramatic increase in both the number of groups active and the number of attacks against organizations.

Experts Uncover Weaknesses in PowerShell Gallery Enabling Supply Chain Attacks
2023-08-16 11:56

Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry's users. "These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package," Aqua security researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman said in a report shared with The Hacker News.

Unraveling the importance of software supply chain security
2023-08-07 03:00

The software supply chain encompasses the entire lifecycle of a software product, from its conception and development to its distribution and deployment. One of the key challenges in the software supply chain is the growing reliance on third-party components and dependencies, especially in open-source software.