GitHub will start using code signing for its npm software packages to protect its open-source registry. The move comes after vulnerabilities like Log4Shell raised concerns that there is no guarantee that open source packages on npm are built from the same source code that’s published. Code signing builds will authenticate where the software came from, adding another layer of digital trust.
Malware
Microsoft discovered new malware, MagicWeb, which comes from the same threat actors as the SolarWinds attack that would enable authentication as anyone. MagicWeb is an evolution of malware FoggyWeb, except that MagicWeb is a backdoored version of “Microsoft.IdentityServer.Diagnostics.dll” which hackers replaced, allowing them to perform a variety of functions, including forcing applications to accept a non-valid client certificate as valid.
At the Black Hat conference, several active malwares were found on the Black Hat network including Shlayer, NetSupport RAT and SHARPEXT malware, attributed to North Korean attackers. However, researchers expected there to be even more malware, given the 20,000 attendees including cybersecurity researchers and security employees present at the conference.
Data breaches
LastPass was hacked in August in an attempt to steal source code. LastPass confirmed that the attack came through a compromised developer account but claims that no customer data or passwords were compromised, but the threat actors did steal portions of their source code.
Cisco announced that it was hacked earlier this year. The attacker gained access to Cisco’s network through an employee’s personal Google account, because they had saved passwords stored in the browser. The employee did have MFA enabled, but the attacker was able to use voice phishing attacks to get the victim to accept a push notification, granting the threat actor access. The threat was removed but continued to try to regain access for weeks after the incident, although unsuccessful.
CapitalOne will pay $190 million to customers as part of a data breach settlement. The data breach occurred in March 2019 and affected over 100 million customers. The plaintiffs claimed that CapitalOne was aware of security vulnerabilities but failed to take steps to protect customers.
The same hackers who breached Twilio in early August also targeted Cloudflare and over 100 other organizations. The attackers breached Twilio by using SMShing to trick some employees into handing over corporate login credentials. The attackers seemed to target companies using Okta for a single sign-on.
Government standards
U.S. President Joe Biden signed the CHIPS and Science Act into law in early August. The legislation will provide billions in incentives to CHIP manufacturers and will fund public research to help boost the United States’ competitive edge and solve supply chain issues. “The United States must lead the world in the production of these advanced chips. This law will do exactly that,” Biden said. As CHIP manufacturers move operations to the United States, they should partner with a trusted, compliant leader in digital trust capable of helping them inject trust into their silicon and manage such trust at any stage in the product lifecycle.
The U.S. House of Representatives has passed a new law, the SECURE Notarization Act (H.R. 3962), which would set federal standards to allow notaries in all states to perform remote online notarization transactions. The bill also allows a notary public to remotely notarize electronic records involving an individual located outside of the United States. It uses e-signatures as defined in the U.S. e-Sign Act. The legislation will now be considered by the Senate, where companion legislation (S.1625) has been introduced.
A French hospital was hit by a $10 million ransomware attack, causing the hospital to postpone surgeries and refer patients elsewhere. The attack blocked hospital staff from accessing the business software, storage systems and patient information. The threat group hasn’t been confirmed, but they demanded $10 million for a decryption key so the hospital can resume normal operations.
Quantum
Chinese company Baidu released its first quantum computer, named Qian Shi. Qian Shi has 10 qubits of power and will offer service available to the public for use without needing their own quantum hardware or systems, so that the public can access quantum computing even on their smartphones.