The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: supply chain attack

Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks

Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks
August 18, 2021Ravie Lakshmanan
IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company's clients. The attacks, which occurred in two waves in May and July 2021, have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018, researchers from ClearSky  said  in a report published Tuesday. Infections undertaken by the adversary commenced with identifying potential victims, who were then enticed with "alluring" job offers in well-known companies like ChipPc and Software AG by posing as human resources department employees from the impersonated firms, only to lead the victims to a phishing website containing weaponized files t

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Several Malicious Typosquatted Python Libraries Found On PyPI Repository
July 30, 2021Ravie Lakshmanan
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe  said  Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like  pip  relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (upl

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers
July 21, 2021Ravie Lakshmanan
A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. The package in question, named " nodejs_net_server " and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.  "It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki  said  in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line." While the first version of the package was put out just to test the process of p

Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack

Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack
July 11, 2021Ravie Lakshmanan
Florida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack . Following the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws —  CVE-2021-30116 - Credentials leak and business logic flaw CVE-2021-30119 - Cross-site scripting vulnerability CVE-2021-30120 - Two-factor authentication bypass The security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure ( DIVD ) earlier in April, of which four other weaknesses were remediated in previous releases —

Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly

Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly
July 06, 2021Ravie Lakshmanan
U.S. technology firm Kaseya, which is firefighting the largest ever  supply-chain ransomware strike  on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware. While initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability ( CVE-2021-30116 ) in the software was leveraged to push ransomware to Kaseya's customers. "The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company  noted  in the incident analysis. "This allowed the attackers to leverage the standard VSA pro

REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom
July 04, 2021Ravie Lakshmanan
Amidst the massive  supply-chain ransomware attack  that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack. The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday  revealed  it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place. More specifics about the flaws were not shared, but DIVD chair Victor Gevers  hinted  that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks, with victims identified in no less than 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indo

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
July 02, 2021Ravie Lakshmanan
In yet another instance of software supply chain attack, unidentified hackers breached the website of  MonPass , one of Mongolia's major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a  report  published Thursday. In addition, a public webserver hosted by MonPass was infiltrated potentially as many as eight separate times, with the researchers uncovering eight different web shells and backdoors on the compromised server. Avast's investigation into the incident began after it discovered the backdoored installer and the implant on one of its customers' systems. "The malicious installer is an unsigned [Portable Executable] file," the researchers said. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate versi

Google Releases New Framework to Prevent Software Supply Chain Attacks

Google Releases New Framework to Prevent Software Supply Chain Attacks
June 18, 2021Ravie Lakshmanan
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov  security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.  Called " Supply chain Levels for Software Artifacts " (SLSA, and pronounced "salsa"), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and  mitigate threats  that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain. Google said SLSA is inspired by the company's own internal enforcement mechanism called Binary Authorization for Borg , a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized. "In its current state, SLSA is a set of incrementally adoptable

NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers

NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers
June 14, 2021Ravie Lakshmanan
A new cyber espionage group named Gelsemium has been linked to a  supply chain attack targeting the NoxPlayer  Android emulator that was disclosed earlier this year. The findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename  Operation TooHash  based on malware payloads deployed in those intrusions. "Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," cybersecurity firm ESET  said  in an analysis published last week. "Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand." Targeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi

Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks
May 26, 2021Ravie Lakshmanan
Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important

Rapid7 Source Code Breached in Codecov Supply-Chain Attack

Rapid7 Source Code Breached in Codecov Supply-Chain Attack
May 14, 2021Ravie Lakshmanan
Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm  said  in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers." On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1. "The actor gained access bec

A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks
April 29, 2021Ravie Lakshmanan
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from  SonarSource , following which a hotfix was deployed less than 12 hours later. "Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer  said  its  release notes  for versions 2.0.13 and 1.10.22 published on Wednesday. "To the best of our knowledge the vulnerability has not been exploited." Composer  is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on  Packagist , a repository that aggregates all public P

Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs

Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs
April 24, 2021Ravie Lakshmanan
Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a supply chain attack. The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software's update mechanism and used it to drop malware on user computers. The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours. "Only customers that performed In-Place Upgrades between the times stated above are believed to be affected," the company  said  in an advisory. "Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested." The development was first reported by the Polish tech news site  Niebezpiecznik . It's not immediately clear who the attackers are or how they compromised the password manager's update feature. Click Studios said an i

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers
March 05, 2021Ravie Lakshmanan
FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a "sophisticated second-stage backdoor," as the investigation into the  sprawling espionage campaign  continues to yield fresh clues about the threat actor's tactics and techniques.  Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as  Sunspot ,  Sunburst  (or Solorigate),  Teardrop , and  Raindrop  that were stealthily delivered to enterprise networks by  alleged Russian operatives . "These tools are new pieces of malware that are unique to this actor," Microsoft  said . "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions." Microsoft al

SolarWinds Blames Intern for 'solarwinds123' Password Lapse

SolarWinds Blames Intern for 'solarwinds123' Password Lapse
March 01, 2021Ravie Lakshmanan
As cybersecurity researchers continue to piece together the sprawling  SolarWinds supply chain attack , top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.  The said password " solarwinds123 " was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019. But in a  hearing  before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017. While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike's incident response efforts pointed to a  revi

A New Software Supply‑Chain Attack Targeted Millions With Spyware

A New Software Supply‑Chain Attack Targeted Millions With Spyware
February 01, 2021Ravie Lakshmanan
Cybersecurity researchers today disclosed a new supply chain attack targeting online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs. Dubbed " Operation NightScout " by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka. NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is  estimated  to have over 150 million users in more than 150 countries. First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until "explicitly malicious activity" was uncovered on January 25, prompting ESET to report the incident to BigNox. "Based on the comp

FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack

FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack
January 05, 2021Ravie Lakshmanan
The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive  SolarWinds supply chain attack  that came to light early last month. "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)  said  in a joint statement. Russia, however,  denied  any involvement in the operation on December 13, stating it "does not conduct offensive operations in the cyber domain." The FBI, CISA, ODNI, and NSA are members of the Cyber Unified Coordination Group (UCG), a newly-formed task force put in place by the White House National Security Council to investig

A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says

A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says
December 22, 2020Ravie Lakshmanan
As the probe into the  SolarWinds supply chain attack  continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team  said  on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL,  Supernova  ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a  standalone write-up ,
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.