Security News

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" - including the aforementioned British trio - had their information stolen.

Integrating proprietary and open-source code, APIs, user interfaces, application behavior, and deployment workflows creates an intricate composition in modern applications. Any vulnerabilities within this software supply chain can jeopardize your and your customers' safety.

TechRepublic Premium Bring your own device policy PURPOSE The purpose of this Bring your own device policy from TechRepublic Premium is to provide requirements for BYOD usage and establish the steps that both users and the IT department should follow to initialize, support and remove devices from company access. These requirements must be followed as documented in order to protect company systems .....

Google on Wednesday announced the 0.1 Beta version of GUAC for organizations to secure their software supply chains. GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.

In 2021, the Biden Administration published the Executive Order on Improving the Nation's Cybersecurity, setting off an agency-wide security initiative with the ultimate objective of standardizing security requirements across the Department of Defense and the Federal Civilian Executive Branch supply chain. These revisions point to a wider adoption of the NIST SP 800-171 and 800-53 controls, meaning that organizations contracting across the FCEB supply chain should start reviewing their current security posture in preparation.

Like PyPI for Pythonistas, Gems for Ruby fans, NPM for JavaScript programmers, or LuaRocks for Luaphiles, Packagist is a repository where community contributors can publish details of PHP packages they've created. Unlike PyPI, which provides its own servers where the actual library code is stored, Packagist links to, but doesn't itself keep copies of, the code you need to download. There's an upside to doing it this way, notably that projects that are managed via well-known source code services such as GitHub don't need to maintain two copies of their official releases, which helps avoid the problem of "Version drift" between the source code control system and the packaging system.

Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture. 3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.

In Brief We thought it was probably the case when the news came out, but now it's been confirmed: The X Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer. For those unfamiliar with the incident, 3CX reported a supply chain attack that saw its 3CX DesktopApp compromised with a trojanized version of the X Trader futures trading app published by Trading Technologies.

The X Trader software supply chain attack that led to last month's 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec's Threat Hunter Team. While the Trading Technologies supply chain compromise is the result of a financially motivated campaign, the breach of multiple critical infrastructure organizations is worrisome, seeing that North Korean-backed hacking groups are also known for cyber espionage.

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "Software supply chain attack lead to another software supply chain attack."