Category: supply chain

Auto Added by WPeMatico

Leaked GitHub Python Token

Posted on By infossl
leaks, security analysis, Security technology, supply chain, Uncategorized

Here’s a disaster that didn’t happen: Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF). JFrog discussed what could have happened: The … Read More “Leaked GitHub Python Token” »

Compromising the Secure Boot Process

Posted on By infossl
cryptography, encryption, keys, passwords, Security technology, supply chain, Uncategorized, vulnerabilities

This isn’t good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December … Read More “Compromising the Secure Boot Process” »

Supply Chain Attack against Courtroom Software

Posted on By infossl
backdoors, courts, Security technology, supply chain, Uncategorized

No word on how this backdoor was installed: A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack. The software, known as the JAVS Viewer 8, is … Read More “Supply Chain Attack against Courtroom Software” »

Micro-Star International Signing Key Stolen

Posted on By infossl
ransomware, Security technology, signatures, supply chain, Uncategorized

Micro-Star International—aka MSI—had its UEFI signing key stolen last month. This raises the possibility that the leaked key could push out updates that would infect a computer’s most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn’t have an automated patching process the way Dell, HP, and many larger hardware … Read More “Micro-Star International Signing Key Stolen” »

North Korea Hacking Cryptocurrency Sites with 3CX Exploit

Posted on By infossl
cryptocurrency, cybersecurity, hacking, malware, North Korea, Security technology, supply chain, Uncategorized, vulnerabilities

News: Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that’s unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they’re based in “western Asia.” … Read More “North Korea Hacking Cryptocurrency Sites with 3CX Exploit” »

Trojaned Windows Installer Targets Ukraine

Posted on By infossl
backdoors, malware, russia, Security technology, supply chain, torrents, ukraine, Uncategorized

Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system: Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System … Read More “Trojaned Windows Installer Targets Ukraine” »

Russian Software Company Pretending to Be American

Posted on By infossl
russia, Security technology, smartphones, supply chain, Uncategorized

Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian. According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a … Read More “Russian Software Company Pretending to Be American” »

NSA on Supply Chain Security

Posted on By infossl
infrastructure, nsa, operational security, reports, Security technology, supply chain, Uncategorized

The NSA (together with CISA) has published a long report on supply-chain security: “Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.“: Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the … Read More “NSA on Supply Chain Security” »

More Russian SVR Supply-Chain Attacks

Posted on By infossl
microsoft, russia, Security technology, supply chain, Uncategorized

Microsoft is reporting that the same attacker that was behind the SolarWinds breach — the Russian SVR, which Microsoft is calling Nobelium — is continuing with similar supply-chain attacks: Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, … Read More “More Russian SVR Supply-Chain Attacks” »

Details of the REvil Ransomware Attack

Posted on By infossl
cyberattack, malware, ransomware, russia, Security technology, supply chain, Uncategorized, vulnerabilities, zero-day

ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details: This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s … Read More “Details of the REvil Ransomware Attack” »