Collaborate Disseminate
Controlled outage used to keep malware marauders from gumming up the works. Learn what you can do to help in future… Continue reading PyPI open-source code repository deals with manic malware maelstrom
In 2021, the Biden Administration published the Executive Order on Improving the Nation’s Cybersecurity (EO 14028), setting off an agency-wide security initiative with the ultimate objective of standardizing security requirements across the Department … Continue reading Preparing for federal supply chain security standardization
Micro-Star International—aka MSI—had its UEFI signing key stolen last month.
This raises the possibility that the leaked key could push out updates that would infect a computer’s most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn’t have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn’t provide the same kind of key revocation capabilities.
Delivering a signed payload isn’t as easy as all that. “Gaining the kind of control required to compromise a software build system is generally a non-trivial event that requires a great deal of skill and possibly some luck.” But it just got a whole lot easier…
Continue reading Micro-Star International Signing Key Stolen
I pwned you! Gizza job! You know it makes sense! Continue reading PHP Packagist supply chain poisoned by hacker “looking for a job”
Ensuring the security of the open-source software that modern organizations depend on is a crucial responsibility of the open source maintainers, especially as attacks on the software supply chain are increasingly common, according to Tidelift. Open so… Continue reading Unpaid open source maintainers struggle with increased security demands
The lack of visibility into the software supply chain creates an unsustainable cycle of discovering vulnerabilities and weaknesses in software and IT systems, overwhelming organizations, according to Lineaje. Diversity and complexity of the open-source… Continue reading The double-edged sword of open-source software
The North Korean hacking group behind the supply chain attack that hit 3CX also broke into two critical infrastructure organizations in the energy sector.
The post Symantec: North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs appeared first … Continue reading Symantec: North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs
We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks. Continue reading 3CX Breach Was a Double Supply Chain Compromise
3CX hack is the first known cascading supply chain attack, with the breach starting after an employee downloaded compromised software from a different firm.
The post Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App app… Continue reading Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
The incident is the first known case of one supply chain attack leading to a second supply chain attack.
The post 3CX supply chain attack was the result of a previous supply chain attack, Mandiant says appeared first on CyberScoop.