Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label supply chain attacks. Show all posts

Ransomware Attack on Blue Yonder Disrupts Global Supply Chains

 

Blue Yonder, a leading supply chain software provider, recently experienced a ransomware attack that disrupted its private cloud services. The incident, which occurred on November 21, 2024, has affected operations for several high-profile clients, including major grocery chains in the UK and Fortune 500 companies. While the company’s Azure public cloud services remained unaffected, the breach significantly impacted its managed services environment. The attack led to immediate operational challenges for key customers. UK supermarket chains Morrisons and Sainsbury’s were among the most affected. 

Morrisons, which operates nearly 500 stores, reported delays in the flow of goods due to the outage. The retailer activated backup systems but acknowledged that its operations were still disrupted. Sainsbury’s similarly implemented contingency plans to address the situation and minimize the impact on its supply chain. In the United States, Blue Yonder serves prominent grocery retailers such as Kroger and Albertsons, though these companies have not confirmed whether their systems were directly affected. 

Other notable clients, including Procter & Gamble and Anheuser-Busch, also declined to comment on any disruptions they might have faced as a result of the attack. In response to the breach, Blue Yonder has enlisted the help of external cybersecurity firms to investigate the incident and implement stronger defenses. The company has initiated forensic protocols to safeguard its systems and prevent further breaches. While recovery efforts are reportedly making steady progress, Blue Yonder has not provided a timeline for full restoration. The company continues to emphasize its commitment to transparency and security as it works to resolve the issue. 

This attack highlights the growing risks faced by supply chain companies in an era of increasing cyber threats. Disruptions like these can have widespread consequences, affecting both businesses and consumers. A recent survey revealed that 62% of organizations experienced ransomware attacks originating from software supply chain vulnerabilities within the past year. Such findings underscore the critical importance of implementing robust cybersecurity measures to protect against similar incidents. 

As Blue Yonder continues its recovery efforts, the incident serves as a reminder of the potential vulnerabilities in supply chain operations. For affected businesses, the focus remains on mitigating disruptions and ensuring continuity, while industry stakeholders are left grappling with the broader implications of this growing threat.

Cyble Research Reveals Near-Daily Surge in Supply Chain Attacks

 

The prevalence of software supply chain attacks is on the rise, posing significant threats due to the extensive impact and severity of such incidents, according to threat intelligence researchers at Cyble.

Within a six-month span from February to mid-August, Cyble identified 90 claims of supply chain breaches made by cybercriminals on the dark web. This averages nearly one breach every other day. Supply chain attacks are notably more costly and damaging than other types of cyber breaches, making even a small number of these attacks particularly detrimental.

Cyble’s blog highlights that while infiltrations of an IT supplier’s codebase—similar to the SolarWinds incident in 2020 and Kaseya in 2021—are relatively uncommon, the software supply chain’s various components, including code, dependencies, and applications, remain a continuous source of vulnerabilities. These persistent risks leave all organizations exposed to potential cyberattacks.

Even when supply chain breaches do not compromise codebases, they can still result in the exposure of sensitive data, which attackers can exploit to breach other environments through methods such as phishing, spoofing, and credential theft. The interconnected nature of the physical and digital supply chain means that any manufacturer or supplier involved in downstream distribution could be considered a potential cyber risk, according to the researchers.

In their 2024 analysis, Cyble researchers examined the frequency and characteristics of supply chain attacks and explored defenses that can mitigate these risks.

Increasing Frequency of Supply Chain Attacks

Cyble’s dark web monitoring revealed 90 instances of cybercriminals claiming successful supply chain breaches between February and mid-August 2024.

IT service providers were the primary targets, accounting for one-third of these breaches. Technology product companies were also significantly impacted, experiencing 14 breaches. The aerospace and defense, manufacturing, and healthcare sectors followed, each reporting between eight and nine breaches.

Despite the concentration of attacks in certain industries, Cyble’s data shows that 22 out of 25 sectors tracked have experienced supply chain attacks in 2024. The U.S. led in the number of breaches claimed on the dark web, with 31 incidents, followed by the UK with 10, and Germany and Australia with five each. Japan and India each reported four breaches.

Significant Supply Chain Attacks in 2024

Cyble’s blog detailed eight notable attacks, ranging from codebase hijacks affecting over 100,000 sites to disruptions of essential services. Examples include:

  • jQuery Attack: In July, a supply chain attack targeted the JavaScript npm package manager, using trojanized versions of jQuery to exfiltrate sensitive form data from websites. This attack impacted multiple platforms and highlighted the urgent need for developers and website owners to verify package authenticity and monitor code for suspicious modifications.
  • Polyfill Attack: In late June, a fake domain impersonated the Polyfill.js library, injecting malware into over 100,000 websites. This malware redirected users to unauthorized sites, underscoring the security risks associated with external code libraries and the importance of vigilant website security.
  • Programming Language Breach: The threat actor IntelBroker claimed unauthorized access to a node package manager (npm) and GitHub account related to an undisclosed programming language, including private repositories with privileges to push and clone commits.
  • CDK Global Inc. Attack: On June 19, a ransomware attack targeted CDK Global Inc., a provider of software to automotive dealerships, disrupting sales and inventory operations for weeks across North American auto dealers, including major networks like Group1 Automotive Inc. and AutoNation Inc.
  • Access to 400+ Companies: IntelBroker also claimed in June to have access to over 400 companies through a compromised third-party contractor, with data access to platforms like Jira, GitHub, and AWS, potentially affecting large organizations such as Lockheed Martin and Samsung.
Mitigating Supply Chain Risks through Zero Trust and Resilience

To counter supply chain attacks, Cyble researchers recommend adopting zero trust principles, enhancing cyber resilience, and improving code security. Key defenses include:

  1. Network microsegmentation
  2. Strong access controls
  3. Robust user and device identity authentication
  4. Encrypting data both at rest and in transit
  5. Ransomware-resistant backups that are “immutable, air-gapped, and isolated”
  6. Honeypots for early detection of breaches
  7. Secure configuration of API and cloud service connections
  8. Monitoring for unusual activity using tools like SIEM and DLP
  9. Regular audits, vulnerability scanning, and penetration testing are also essential for maintaining these controls.

Enhancing Secure Development and Third-Party Risk Management

Cyble also emphasizes best practices for code security, including developer audits and partner assessments. The use of threat intelligence services like Cyble’s can further aid in evaluating partner and vendor risks.

Cyble’s third-party risk intelligence module assesses partner security across various areas, such as cyber hygiene, dark web exposure, and network vulnerabilities, providing specific recommendations for improvement. Their AI-powered vulnerability scanning also helps organizations identify and prioritize their own web-facing vulnerabilities.

As security becomes a more critical factor in purchasing decisions, vendors will likely need to improve their security controls and documentation to meet these demands, the report concludes.

CISA Investigates Sisense Breach: Critical Infrastructure at Risk

 

In the fast-paced landscape of cybersecurity, recent events have once again brought to light the vulnerabilities that critical infrastructure organizations face. The breach of data analytics company Sisense, under investigation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the importance of robust security measures in protecting sensitive data and systems. 

Sisense, a prominent American business intelligence software company, found itself at the center of a security incident impacting not only its own operations but also critical infrastructure sector organizations across the United States. 

With offices in New York City, London, and Tel Aviv, and a clientele including major players like Nasdaq, ZoomInfo, Verizon, and Air Canada, the breach sent shockwaves through the cybersecurity community. CISA's involvement underscores the severity of the situation, with the agency actively collaborating with private industry partners to assess the extent of the breach and its implications for critical infrastructure. 

As investigations unfold, the focus is on understanding the nature of the compromise and mitigating potential risks to affected organizations. In response to the breach, CISA has issued recommendations for all Sisense customers to reset any credentials and secrets that may have been exposed or used to access the company's platform and services.

This proactive measure aims to prevent further unauthorized access and protect sensitive information from exploitation. Sisense's Chief Information Security Officer, Sangram Dash, echoed CISA's advice in a message to customers, emphasizing the importance of promptly rotating credentials used within the Sisense application. This precautionary step aligns with best practices in cybersecurity, where rapid response and mitigation are essential to minimizing the impact of security incidents. 

Additionally, customers are urged to report any suspicious activity related to potentially exposed credentials or unauthorized access to Sisense services to CISA. This collaborative approach between organizations and government agencies is crucial in addressing cybersecurity threats effectively and safeguarding critical infrastructure from harm. The incident involving Sisense is not an isolated event. 

Similar supply chain attacks have targeted critical infrastructure organizations in the past, highlighting the need for heightened vigilance and resilience in the face of evolving cyber threats. One such attack, involving the 3CX breach a year ago, had far-reaching consequences, impacting power suppliers responsible for generating and distributing energy across the grid in the United States and Europe. 

As organizations grapple with the aftermath of the Sisense breach, lessons learned from this incident can inform future cybersecurity strategies. Proactive measures such as continuous monitoring, regular security assessments, and robust incident response plans are essential for mitigating risks and protecting critical infrastructure assets. 

The Sisense breach serves as a wake-up call for the cybersecurity community, emphasizing the interconnected nature of cyber threats and the imperative of collaboration in defending against them. By working together and adopting a proactive stance, organizations can bolster their defenses and safeguard critical infrastructure from cyber adversaries.

Boost Cybersecurity: HR's Key Role in Guarding Your Business

 

If your company were to fall victim to ransomware today, whom would you contact? Or perhaps a more pertinent question: How would you go about contacting them? 

This scenario might appear ludicrous, there are  instances where organizations have been immobilized during the initial hours following a breach simply due to the absence of readily available contact information. 

With email and messaging systems rendered inaccessible, communication grinds to a halt, causing confusion among employees, customers, and suppliers alike. What begins as mild panic rapidly escalates into a full-blown crisis.

Commonly, people tend to associate cybersecurity exclusively with the IT or security department. However, safeguarding your company hinges on two crucial factors: the prevailing organizational culture and meticulous planning. This is precisely why some of the most pivotal players in the realm of cyber defense aren't housed within the IT team – they reside within the human resources (HR) department.

The HR team occupies a unique vantage point, enabling them to seamlessly integrate cybersecurity preparedness into the daily operations of an organization. 

Their responsibilities encompass establishing policies and processes to mitigate risks and fostering a business environment equipped to withstand foreseeable challenges, cyberattacks included. Notably, HR teams are also prime targets for hackers, given their role as custodians of sensitive personal information belonging to employees.

Regrettably, the significance of this role often goes unnoticed. Thus, sharing five strategies by which HR can fortify your business against cybercriminals.

1. Foster a Culture of Cybersecurity

Maintaining eternal vigilance is the requisite price for preserving our liberty to navigate the internet. The sheer volume of threats is staggering – recent findings indicate that educational institutions fend off over 2,300 intrusion attempts on average each week, while healthcare organizations combat more than 1,600 attacks. Given the barrage of digital threats, capturing them all becomes an incredibly daunting task. Yet, a robust cybersecurity culture equips an organization to counter these attacks and minimize the scope of damage when they do breach defenses. The challenge lies in uniting everyone under a shared understanding of appropriate online conduct.

To initiate this process, it is imperative to provide training tools that equip employees with the knowledge of permissible and prohibited online behaviors. Most organizations excel in this aspect. However, the implementation of this information on a daily basis often falls short.

The most effective means of ingraining cybersecurity as an integral aspect of individual responsibilities is its incorporation into performance evaluations. Rather than chastising employees for inadvertently clicking on dubious links, the approach should be constructive, focusing on how they uphold their cyber literacy training. Cyber health-check tools can be employed by workers to analyze their online conduct and address vulnerabilities (such as employing identical passwords across multiple platforms or neglecting two-factor authentication). Moreover, these tools can be harnessed to monitor the progress towards cybersecurity objectives at an organizational level.

Regular discourse on safety measures will seamlessly integrate them into the modus operandi of your business.

2. Safeguard Sensitive Information

HR assumes custodial responsibility for some of the most sensitive data within an organization – a fact not lost on hackers. Over the past half-decade, numerous companies have embraced platforms that empower employees to independently manage routine tasks such as vacation requests. However, these third-party platforms carry inherent risks. Cybercriminals often target them through supply chain attacks, cognizant of the potential to access vast troves of data from multiple organizations. In 2021, a widely-used file transfer system fell victim to a breach, compromising over 300 organizations. The University of California was among those affected, with exposed information spanning employees' social security numbers, driver's licenses, and passport details (prompting the UC system to provide its staff with complimentary ID monitoring services).

Primary among the duties of HR professionals is to ensure the confidentiality of employee data. Rigorous due diligence is essential before enlisting the services of any third-party HR provider. Preference should be accorded to entities conforming to international standards (notably SOC 2 and ISO 27001), while online research should uncover any past security incidents associated with the provider. It is equally vital to ascertain the storage and backup mechanisms employed for your data. Depending on your geographical location and industry, compliance with data residency regulations may be obligatory.

3. Rationalize Data Retention Policies

Updating the data retention policy should be a priority for every HR department. Even if your organization's policy isn't documented, a policy nevertheless exists – the default being the indefinite retention of all data. This exposes you to significant risks. The severity of a breach is exacerbated by the volume of data at stake, especially if you retain unnecessary data. Many jurisdictions stipulate limits on the duration for which companies should retain sensitive information – typically around seven years for records pertaining to former employees.

4. Appoint an Incident Commander

While cybersecurity constitutes an ongoing collective responsibility, a designated individual should assume leadership during a breach. In cybersecurity parlance, this figure is known as the incident commander. Despite diverse perspectives on the most suitable course of action, decision-making authority rests with the incident commander.

The qualifications for an incident commander are succinct: they should possess a profound understanding of cybersecurity matters within your organization. Depending on the size of your enterprise, this individual could be a cybersecurity expert, the head of IT, or even an individual like Joanne from the accounting department, provided she has undergone relevant training. Regardless of the appointee's identity, their role should be pre-established, communicated clearly to your team, and ready to be activated in the event of an incident. Given the swiftness with which cybersecurity events unfold – exemplified by instances where hackers gave a mere 45-minute warning prior to disclosing sensitive information – identifying the incident commander ahead of time is critical to minimizing response delays.

5. Conduct Preparedness Drills

Effective cybersecurity hinges on both planning and practice. Numerous studies underscore the fact that individuals struggle to make sound decisions under stress. Much like fire or earthquake drills provide a framework for emergencies, the same principle applies to cybersecurity incidents. Allocate a two-hour window annually to execute a tabletop exercise involving key personnel, simulating the actions to be taken in the event of a hack. During these drills, a designated moderator outlines the attack's nature and scope, while participants collaboratively devise their responses.

Initial attempts at conducting such exercises may result in confusion, yet this is by design. The ensuing scramble highlights deficiencies in your strategies. Over time, these drills become second nature, enhancing your organization's capacity to effectively respond to cyber threats.

What Choices Ought to Influence the Supply Chain in 2023?

 

Due to the increase in cybercrime, many businesses are infected by viruses and malware that are distributed to them by vendors and business partners. 

There has not been a definite plan of action that addresses this as of yet. However, new third-party risk assessment techniques, products, and services are now available to find security "weak spots" in the supply chain of your business. 

Threats by supply chain vendors 

BlueVoyant, a cybersecurity provider, reported in 2021 that 98% of organizations surveyed had been impacted by a supply chain security breach. In a global survey of 1,000 chief information officers conducted in 2022, 82% of respondents said their organizations were vulnerable to cyberattacks targeting their supply chains. 

There are multiple reasons for these statistics and concerns. The following stand out:

  • The enormous size of corporate supply chains can include up to 100,000 suppliers for a single business 
  • Different cybersecurity standards are required in different countries 
  • Supplier unpreparedness, lack of knowledge, and lack of resources for sound cybersecurity practices 
  • Lack of understanding of supplier security in areas like purchasing, which frequently issue requests for proposals from suppliers without mentioning the security requirements for conducting business with the company. 

Best practices for supply chain security 

While cybersecurity frameworks provide an excellent overview of general supply chain security requirements, they do not provide a detailed plan for implementation. 

What organizations require is a guide for a multifaceted approach to supply chain security — but no single playbook can meet the needs of every organization. Instead, as organizations develop their own security approaches, leaders should follow supply chain security best practices: 

Become familiar with your data 

It may seem obvious, but it cannot be overstated: you must understand your own data, that is, what type of data your organization stores and how sensitive that data is. Use discovery and classification tools to find databases and files in your organization that contain sensitive data, such as customer data, financial information, health records, etc. 

Conduct a risk assessment of supply chain security 

Simply comprehending your data is insufficient. You must also understand your supply chain thoroughly in order to identify potential security risks and take preventative measures. 

Begin by gathering data on your third-party partners. What security safeguards do they have in place? Consider each partner's level of vulnerability, breadth and depth of data access, and the impact on your organization if their security is compromised. 

Next, evaluate the software and hardware products that your company employs. What are their weaknesses? Also, don't overlook compliance. Examine your organization's current security governance and consider where it may need to pivot. 

Create an incident response plan 

Attacks will occur, and your system will be compromised, no matter how thoroughly you prepare your organization's supply chain security. As a result, supply chain security best practices include more than just prevention — they also include preparation. 

An incident response plan should be a key component of your supply chain security app. This plan should outline everyone's responsibilities as well as all procedures to be followed in the event of a security incident. Make specific plans for data breaches, system shutdowns, and other security interruptions. And don't just write these procedures down. Test them, practice them, and make sure they're ready to go. 

Conclusion 

Because the supply chain is so fragile, maintaining solid supply chain security is a dangerous game. While eliminating all threats is impossible, adhering to best practices in supply chain security will position your organization to anticipate and mitigate their effects.

Trojanized Comm100 Live Chat App Installer Distributed a JavaScript Backdoor

Cybersecurity platform CrowdStrike reported a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The application suffered an attack from 27 September to 29, 2022. 

Additionally, the malicious group actively attacked other sectors of the organizations with the same installer including the industrial, technology, healthcare, manufacturing, telecommunications sectors, and insurance in North America and Europe. 

Canadian application Comm100 facilitates over 200,000 businesses with its customer service and communication products. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. However, the company did not report anything on how many customers got affected by the attack. 

According to the Cybersecurity firm CrowdStrike, the malware was proliferated using a Comm100 installer that was downloadable from the company’s website. On September 26, the installer was signed with legitimate information on the Comm100 desktop agent app. 

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike confirmed. 

Also, a malicious loader DLL called MidlrtMd[.]dll has been used as part of the post-exploitation action. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe). The CrowdStrike believed that the China nexus threat actor is behind the attack because the group previously targeted several Asian online gambling organizations. 

“Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, the aforementioned tactics, techniques, and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors”, CrowdStrike Intelligence customers reported.

Over 1800 Mobile Apps Found Exposing AWS Credentials


Experts find hard-coded AWS credentials

Experts have found 1,859 applications across Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials, becoming a major security threat. More than 77% of the apps contain valid AWS access tokens that allow access to private AWS cloud services. 

Mobile apps may contain vulnerabilities in the supply chain that can potentially cause exposure to sensitive data, which can be used by hackers for other attacks. Supply chain vulnerabilities in mobile apps are often added by app developers, intentionally or unintentionally. 

The developers don't know the downside of the security impacts, putting the app users' privacy, as well as the employer and organizations' privacy at risk too. 

Source of the Problem

Researchers at Broadcom Software looked into why and where exactly the AWS access tokens were inside the applications, and whether present in other apps too. They found over half (53%) of the apps were using the same AWS access tokens found in other apps. 

These apps, interestingly, were from different app developers and organizations. This way, the experts found a supply chain vulnerability, it could be traced to a shared library, third-party SDK, or other shared components used in making the apps. 

Why app developers are using hard-coded access keys?

  • Downloading or uploading assets and resources needed for the applications, generally large media files, images, or recordings. 
  • To access configuration files for the app and/or register the device or get device info for cloud storage. 
  • Access cloud services that need authentication, like translation services.
  • For no particular reason, the dead code was used for testing and never removed. 

In one incident discovered by Symantec, an unknown B2B company that offers an intranet and communication platform and also provides a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service. 

It led to the leak of all of its customers' personal information- corporate data and financial records that belonged to more than 15000 medium to large-sized firms. 

How can users stay safe from supply chain attacks?

It is possible to protect yourself from supply chain issues, one can add security scanning solutions to the app development lifecycle and if using an outsourced provider, you can review Mobile App Report Cards, which can notice any malicious app behaviors or vulnerabilities for every launch of the mobile app, can all be helpful in to highlight potential issues. 

If you're an app developer, you can look for a report card that both scans SDKs and frameworks in your apps and finds the source of any vulnerabilities or suspicious behaviors. 




Last Year, Brute-Forcing Passwords and ProxyLogon Exploits were Among the Most Common Attack Vectors

 

Last year, brute-forcing passwords and exploiting ProxyLogon vulnerabilities against Microsoft Exchange Server were among the most prominent attack methods. According to ESET's Q3 Threat Report, which covers September to December 2021, while supply chain attacks increased over 2020, the year 2021 was marked by the continuous discovery of zero-day vulnerabilities potent enough to wreak havoc on enterprise systems. The discovery of zero-day flaws in Exchange Server, as well as Microsoft's emergency patches to address on-premise issues, haunted IT admins well into the year.

The end of the year was similarly tumultuous in terms of RDP attacks, which grew in severity throughout 2020 and 2021. Despite the fact that 2021 was no longer distinguished by the chaos of freshly imposed lockdowns and fast migrations to remote work, the data from the final weeks of T3 2021 eclipsed all prior records, amounting to a remarkable yearly surge of 897% in total attack attempts thwarted. The only positive news from the RDP attack front is that the number of targets has been gradually decreasing, albeit the rampage does not appear to be coming to a stop anytime soon. 

Ransomware, previously described as "more aggressive than ever" in the Q4 2020 Threat Report, outperformed the worst predictions in 2021, with attacks on critical infrastructure, outrageous ransom demands, and over US$5 billion in bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone. 

However, the pressure from the opposing side has been increasing as well, as evidenced by increased law enforcement efforts against ransomware and other cybercriminal endeavors. While the intensive crackdown prompted numerous gangs to quit the scene – even providing decryption keys – it appears that other attackers are becoming even more daring: T3 saw the biggest ransom demand yet, US$240 million, tripling the prior report's figure. 

The repercussions of a critical vulnerability in Log4j were also discovered in the last four months of 2021. The remote code execution (RCE) flaw in Log4j, tracked as CVE-2021-44228, received a CVSS severity level of 10.0, sending organizations scrambling to repair the problem. Threat actors immediately began attempting to exploit the flaw.

Despite the fact that the vulnerability was only made public in the last three weeks of 2021, ESET has classified CVE-2021-44228 as one of the top five attack vectors of the year. 

According to the study, there has been a significant increase in Android banking malware, with a 428% increase in 2021 compared to 2020. According to ESET, infection rates connected with Android banking Trojans including SharkBot, Anatsa, Vultur, and BRATA have now surpassed adware levels.

APT27 Hackers are Backdooring Business Networks in Germany

 

The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.

Supply Chain Attacks Using Container Images

 

According to cybersecurity firm Aqua Security, a recently discovered crypto mining technique used malicious Docker images to takeover companies' computing resources to mine bitcoin.  

The photos were published to Docker Hub's official repository. The researchers discovered five Docker Hub container images that could be utilised in a supply chain attack against cloud-native systems. Developers use Docker, a prominent platform-as-a-service container provider for Linux and Windows devices, to help them build and package apps. 

According to Assaf Morag, principal data analyst at Aqua Security, the researchers discovered the infected pictures during their routine manual examination. 

"We regularly share this kind of information with Docker Hub and other public registries or repositories (GitHub, Bitbucket, etc)," Morag says. 

"Based on the information we share with Docker Hub, they conduct their investigation and decide whether or not they close the namespace. In this particular case, they closed these namespaces on the same day we had reached out to them. Docker Hub’s reaction and response time are absolutely amazing.” 

The first three containers discovered by the researchers - thanhtudo, thieunutre, and chanquaa - launch the Python script dao.py, which has been used in various past campaigns to obscure harmful container images in Docker Hub via typosquatting. The names of the other two container images are openjdk, and golang are. 

"We haven’t seen any indication that they were used in attacks in the wild but that doesn’t mean that they were or weren’t. Our goal is to shine a bright light on these container images with misleading names, saying that they contain cryptominer which is executed once you run the container, even though there is no indication in the namespace that this is the purpose of these container images." 

These malicious containers are designed to be readily mistaken as legitimate container images, although the Docker Hub accounts responsible for them are not official accounts. 

"Once they are running, they may look like an innocent container. After running, the binary xmrig is executed (MD5: 16572572588c2e241225ea2bf6807eff), which hijacks resources for cryptocurrency mining," the researchers added. 

"I guess you will never log in to the webpage mybunk[.]com, but if the attacker sent you a link to this namespace, it might happen," he says. "The fact is that these container images accumulated 10,000-plus pull, each." 

While it's unknown who's orchestrating the scam, according to the study, the fraudulent Docker Hub account was taken down when Aqua Security alerted Docker. According to Morag, these containers are not directly controlled by a hacker, but a script at the entry point/cmd is designed to launch an automated assault. The assaults, in this case, were confined to stealing computing resources to mine bitcoin. 

Morag added, "When someone runs these container images, there’s a script that 'loads' the mining configuration and executes a binary that is designed to communicate with a mining pool and execute a crypto mining script. In all cases – XMRIG.” 

Attackers are increasingly targeting software supply chains, and they're growing better at concealing their attacks. As a result, businesses should strengthen their security to decrease the chance of falling victim to such an attack. Here are some suggestions to help to enhance the security posture by Aqua Security: 
1. Control access to public registries: When running containers from a public registry, consider the registry a high-risk source for supply chain attacks. Attackers are attempting to dupe developers into unintentionally fetching malicious container images by masquerading them as popular ones. Create a curated internal registry for base container images to minimise risk, and restrict who can access public registries. Implement policies to ensure that container images are verified before they are added to the internal registry. 

2. Scan container images for malware using static and dynamic analysis: When companies utilise static, signature- or pattern-based scanning, sophisticated assaults can easily evade detection. Threat actors, for example, might avoid detection by embedding code in container images that only downloads malware during execution. 

3. Digitally signing container images or utilising other image integrity measures This helps to guarantee that the container images in use are the same ones reviewed and approved.

What is a Supply Chain Attack? Here's How is it Making Your Software Vulnerable

 

Users receive warnings from public and private organizations asking them to be aware of fraud links and sources, to not share their credentials with anybody, and save their sensitive data from dark websites, etc. commonly. However, the sophisticated hacking market is generating a sense of fear in minds of the public with questions like what if the legal software and hardware that makes up your network has been already compromised at the source? Which leads us to our main question: What is a supply chain attack? 

A very common form of cyber-hacking is known as a "supply chain attack”, it is also called a value-chain or third-party attack. This umbrella term ‘supply chain attack’ includes those cyber attacks that target software developers and suppliers so that several clients and customers of the fine products and services can be affected directly. 

By leveraging a single developer or supplier, threat actors or spies can steal its distribution systems and install the application that they want to send to the victims. 

By compromising a single chain, the hackers can well-place intrusion and can successfully can create a springboard to the networks of a supplier's consumers in which thousands of people can be victimized. 

Supply chain attacks have always been understood as daunting tasks. The reason behind this is their consequences can be very severe, a single attack can leave the whole organization with severe vulnerabilities and can break the trust between an organization and the customers. 

"Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology," says Nick Weaver, a security researcher at UC Berkeley's International Computer Science Institute. "You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor." 

In December 2020, the worst face of the supply chain attack had already been witnessed, when it was discovered that the Russian malicious actors later identified as Russian foreign intelligence service (SVR) compromised the software firm SolarWinds and installed malicious code in its IT management tool Orion. With this, hackers attacked at least nine US federal agencies. 

The spy operation ‘SolarWinds’ wasn't unique, there is a list of events that already hit the world’s big companies including a Chinese hacking group known as Barium carrying out at least six supply chain attacks over the past five years. 

In 2017, the Russian threat actors ‘Sandworm’, hijacked the software updates of the Ukrainian accounting software MEDoc, which ultimately inflicted $10 billion in damage worldwide. This attack is the costliest cyberattack in history.

With the available statistics and data, we can conclude that supply chain attacks are a huge problem that's not going away anytime soon. 

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.

PHP Git Server Hacked to Plant Malware in Code Base

 

In the most recent software supply chain assault, the official PHP Git repository was hacked and the code base altered. On Sunday, two malevolent commits were pushed to the php-src Git repository kept up by the PHP team on their git.php.net server. The threat actors had signed off on these commits as though these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov. 

The incident is disturbing considering PHP stays the server-side programming language to control more than 79% of the sites on the Internet. In the noxious commits [1, 2] seen by BleepingComputer, the assailants published a strange change upstream, "fix typo" under the pretence this was a minor typographical amendment. 

As indicated by Bleeping Computer, the code has all the earmarks of being intended to embed a backdoor and make a situation wherein remote code execution (RCE) might be conceivable. Popov said the development team isn't sure precisely how the assault occurred, however, pieces of information show that the official git.php.net server was likely undermined, instead of individual Git accounts. A remark, "REMOVETHIS: sold to zerodium, mid-2017," was included in the script. There is no sign, nonetheless, that the exploit seller has any inclusion in the cyberattack. 

Zerodium's chief executive Chaouki Bekrar named the culprit as a "troll," remarking that "likely, the researcher who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun." The commits were recognized and returned before they made it downstream or affected clients. An investigation concerning the security incident is currently in progress and the team is scouring the repository for some other indications of malevolent activity. Meanwhile, however, the development team has concluded now is the opportune chance to move permanently to GitHub. 

"We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server," Popov said. "Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net." Developers with past write access to the task's repositories will now have to join the PHP group on GitHub.

GitHub Informed Clients of “Potentially Serious” Security Bug

 

GitHub on Monday informed clients that it had found what it described as an “extremely rare, but potentially serious” security bug identified with how some authenticated sessions were handled. On 8th March GitHub signed out all clients that were signed in before March 8th. The precautionary measure was taken seven days after the organization had gotten an underlying report of dubious conduct, from an external party. 

The Microsoft-owned software development platform said the bug was found on March 2 and an underlying patch was carried out on March 5. A subsequent fix was delivered on March 8 and on the evening of that very day the organization chose to invalidate all authenticated sessions to completely eliminate the possibility of exploitation. On Friday, the GitHub team has remediated the security flaw and kept on analyzing the situation over the weekend. The vulnerability being referred to, could be misused in extremely rare circumstances, when a rare condition would happen during the backend request handling process, permitting the session cookie of a logged-in GitHub client to be sent to the software of another client, giving the latter access to the former user’s account.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” says Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.” 

The organization declared that the bug existed on GitHub.com for less than two weeks and it doesn't resemble some other GitHub.com assets or products were impacted as a result of this bug. "We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com. For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement. 

The organization is still analyzing if any project repositories or source code were messed with because of this vulnerability as this kind of authentication vulnerabilities could pave the way for software supply-chain attacks.

Rise of the Ransomware Attacks Leads to an Increase Extortion Demands of Cyber Criminals


As there happens a rise in the number of ransomware attacks doubled is the number of organizations surrendering to the extortion demands of cybercriminals in the wake of succumbing to such attacks particularly this year in contrast with the previous one.

As indicated by figures in the recently released 2019 CrowdStrike Global; Security Attitude Security, the total number of organizations around the globe that pay the ransom subsequent to succumbing to a supply-chain attack has dramatically increased from 14% of victims to 39% of those influenced.

While cybersecurity suppliers and law enforcements suggest that victims don't fund crime by surrendering to the blackmail requests/ extortion demands, at times organizations see it as the fastest and easiest method for re-establishing their networks.

In the UK explicitly, the number of organizations that have encountered a ransomware attack and followed through on the demanded price for the decryption key stands at 28% – twofold the 14% figure of the previous year.

Be that as it may, on the grounds that the victims are as yet paying the ransom – which normally amounts up to six-figure sum – cybercriminals will keep on directing ransomware campaigns and likely broaden them further, particularly as the possibility of them getting captured is low.

In any case, notwithstanding the accomplishment of ransomware attacks – particularly those that have undermined the whole infrastructure of entire organizations – there are some generally straightforward and simple methods for averting the attacks doing any harm.

In the event that organizations guarantee that every one of the frameworks and programming on the network is fixed with the most recent security updates, it goes 'a long way' to preventing ransomware attacks from being effective the same number of campaigns depend on the abuse of the known vulnerabilities.

Organizations ought to likewise guarantee that default passwords aren't utilized on the system and, where conceivable, two-factor verification ought to be applied as this will counteract any hacker who figures out how to break the system from moving around and causing more damage.

However, in case of a ransomware attack being effective, organizations can guarantee they don't have to make the payment by normally creating a backup of their system and guaranteeing that the backup is stored offline.

A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.