Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
In this article, I explained how I could compromise the sysupgrade.openwrt.org service by exploiting the command injection and the SHA-256 collision. As I never found the hash collision attack in a real-world application, I was surprised that I could successfully exploit it by brute-forcing hashes.
Ultralytics AI model hijacked to infect thousands with cryptominer
The popular Ultralytics YOLO11 AI model was compromised in a supply chain attack to deploy cryptominers on devices running versions 8.3.41 and 8.3.42 from the Python Package Index (PyPI)
Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report
Google said it has been contacted by several major U.S. companies recently who discovered that they unknowingly hired North Koreans using fake identities for remote IT roles.
Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss of epic proportions, a blow to the fabric of trust underlying open source development, a stark reminder of the risks of supply-chain attacks. Equal measures brilliant and devious.
We discovered 4 critical code vulnerabilities in Gogs, a source code hosting solution, which are still unpatched. Read about the details and how to protect yourself.
Resecurity | Cl0p Ups the Ante with Massive MOVEit Transfer Supply-Chain Exploit
The supply-chain cyberattack that targeted Progress Software’s MOVEit Transfer application has compromised over 963 private and public-sector organizations worldwide. The ransomware group, Cl0p, launched this attack campaign over Memorial Day weekend. Some higher-profile victims of the hack include Maximus, Deloitte, TIAA, Ernst & Young, Shell, Deutsche Bank, PricewaterhouseCoopers, Sony, Siemens, BBC, British Airways, the U.S. Department of Energy, the U.S. Department of Agriculture, the Louisiana Office of Motor Vehicles, the Colorado Department of Health Care Policy and Financing, and other U.S. government agencies. Thus far, the personal data of over 58 million people is believed to have been exposed in this exploit campaign.
A Shady Chinese Firm’s Encryption Chips Got Inside NATO and NASA
The US government warns encryption chipmaker Hualan has suspicious ties to China’s military. Yet US agencies still use one of its subsidiary’s chips, raising fears of a backdoor.
SolarWinds: The Untold Story of the Boldest Supply-Chain Hack
It was late 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special. Adair figured he and his team would rout the attackers quickly and be done with the case—until they noticed something strange. A second group of hackers was active in the think tank’s network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff.
FortiGuard Labs highlights how a digitally signed 3CX desktop app was reportedly used in a supply chain attack against 3CX Voice over Internet Protocol (VoIP) customers. Check back for analysis and coverage updates.
Hackers compromise 3CX desktop app in a supply chain attack
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack.
Supply Chain Vulnerabilities Put Server Ecosystem At Risk
BMC&C Eclypsium Research has discovered and reported 3 vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers…
We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.org.
FortiGuard Labs highlights how a digitally signed 3CX desktop app was reportedly used in a supply chain attack against 3CX Voice over Internet Protocol (VoIP) customers. Check back for analysis and coverage updates.
Hackers compromise 3CX desktop app in a supply chain attack
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack.
Supply Chain Vulnerabilities Put Server Ecosystem At Risk
BMC&C Eclypsium Research has discovered and reported 3 vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers…
We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.org.
