supply chain attack | Breaking Cybersecurity News | The Hacker News

In yet another instance of software supply chain attack, unidentified hackers breached the website of  MonPass , one of Mongolia's major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a  report  published Thursday. In addition, a public webserver hosted by MonPass was infiltrated potentially as many as eight separate times, with the researchers uncovering eight different web shells and backdoors on the compromised server. Avast's investigation into the incident began after it discovered the backdoored installer and the implant on one of its customers' systems. "The malicious installer is an unsigned [Portable Executable] file," the researchers said. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate versi

As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov  security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.  Called " Supply chain Levels for Software Artifacts " (SLSA, and pronounced "salsa"), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and  mitigate threats  that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain. Google said SLSA is inspired by the company's own internal enforcement mechanism called Binary Authorization for Borg , a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized. "In its current state, SLSA is a set of incrementally adoptable

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

A new cyber espionage group named Gelsemium has been linked to a  supply chain attack targeting the NoxPlayer  Android emulator that was disclosed earlier this year. The findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename  Operation TooHash  based on malware payloads deployed in those intrusions. "Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," cybersecurity firm ESET  said  in an analysis published last week. "Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand." Targeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important

Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm  said  in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers." On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1. "The actor gained access bec

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from  SonarSource , following which a hotfix was deployed less than 12 hours later. "Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer  said  its  release notes  for versions 2.0.13 and 1.10.22 published on Wednesday. "To the best of our knowledge the vulnerability has not been exploited." Composer  is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on  Packagist , a repository that aggregates all public P

Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a supply chain attack. The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software's update mechanism and used it to drop malware on user computers. The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours. "Only customers that performed In-Place Upgrades between the times stated above are believed to be affected," the company  said  in an advisory. "Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested." The development was first reported by the Polish tech news site  Niebezpiecznik . It's not immediately clear who the attackers are or how they compromised the password manager's update feature. Click Studios said an i

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a "sophisticated second-stage backdoor," as the investigation into the  sprawling espionage campaign  continues to yield fresh clues about the threat actor's tactics and techniques.  Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as  Sunspot ,  Sunburst  (or Solorigate),  Teardrop , and  Raindrop  that were stealthily delivered to enterprise networks by  alleged Russian operatives . "These tools are new pieces of malware that are unique to this actor," Microsoft  said . "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions." Microsoft al

As cybersecurity researchers continue to piece together the sprawling  SolarWinds supply chain attack , top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.  The said password " solarwinds123 " was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019. But in a  hearing  before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017. While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike's incident response efforts pointed to a  revi

Cybersecurity researchers today disclosed a new supply chain attack targeting online gamers by compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs. Dubbed " Operation NightScout " by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka. NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is  estimated  to have over 150 million users in more than 150 countries. First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until "explicitly malicious activity" was uncovered on January 25, prompting ESET to report the incident to BigNox. "Based on the comp

The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive  SolarWinds supply chain attack  that came to light early last month. "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)  said  in a joint statement. Russia, however,  denied  any involvement in the operation on December 13, stating it "does not conduct offensive operations in the cyber domain." The FBI, CISA, ODNI, and NSA are members of the Cyber Unified Coordination Group (UCG), a newly-formed task force put in place by the White House National Security Council to investig

As the probe into the  SolarWinds supply chain attack  continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team  said  on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL,  Supernova  ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a  standalone write-up ,

The massive state-sponsored  espionage campaign  that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought. News of Microsoft's compromise was first reported by Reuters , which also said the company's own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter. The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers. In a statement to The Hacker News via email, the company said — "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or custom

Cybersecurity researchers today disclosed a new supply-chain attack targeting the Vietnam Government Certification Authority (VGCA) that compromised the agency's digital signature toolkit to install a backdoor on victim systems. Uncovered by Slovak internet security company ESET early this month, the "SignSight" attack involved modifying software installers hosted on the CA's  website  ("ca.gov.vn") to insert a spyware tool called  PhantomNet  or Smanager. According to ESET's telemetry, the breach happened from at least July 23 to August 16, 2020, with the  two installers  in question — "gca01-client-v2-x32-8.3.msi" and "gca01-client-v2-x64-8.3.msi" for 32-bit and 64-bit Windows systems — tampered to include the backdoor. "The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures

SolarWinds, the enterprise monitoring software provider which found itself at the epicenter of the most  consequential supply chain attacks , said as many as 18,000 of its high-profile customers might have installed a tainted version of its Orion products. The acknowledgment comes as part of a new filing made by the company to the US Securities and Exchange Commission on Monday. The Texas-based company serves more than 300,000 customers worldwide, including every branch of the US military and four-fifths of the Fortune 500 companies. The "incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state," SolarWinds said in the  regulatory disclosure , adding it "currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000." The company also reiterated in its  security advisory  that besides 2019.4 HF

State-sponsored actors allegedly working for Russia have  targeted  the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to  monitor internal email traffic  as part of a widespread cyberespionage campaign. The Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm  FireEye  a few days ago leading to the theft of its Red Team penetration testing tools. The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated  supply chain attack . "The compromise of SolarWinds' Orion Ne