WebProNews

Tag: supply chain attack

  • Google Tackles Supply Chain Attacks With New Bug Bounty

    Google Tackles Supply Chain Attacks With New Bug Bounty

    Google is tackling supply chain cybersecurity attacks with a new bug bounty program.

    Supply chain attacks involve hackers compromising the source code or service used by a range of industries and companies rather than targeting each individual organization. As a result, a single successful supply chain attack can compromise hundreds or even thousands of organizations using the service or product.

    WIih supply chain attacks growing in popularity, Google is looking to address the problem with a bug bounty program. Bug bounties refer to the payouts paid to professional hackers and security experts, also known as “white hats,” who find bugs and report them to companies so they can fix them before bad actors exploit them.

    Google posted the new bug bounty program in a blog post:

    Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source in the world.

    Google made it clear that the goal of the new program was to help secure open source software supply chains.

    The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.

    Google says payouts will range from $100 to $31,337, depending on the severity and importance of the bug, as well as whether it is particularly interesting or unusual.

  • SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    “What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack,” says Datadog CEO Olivier Pomel. “This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.”

    Datadog CEO Olivier Pomel discusses how the SolarWinds hack signals an increased focus by hackers to target software earlier in its development:

    The SolarWinds hack was definitely a very big one. It’s not especially surprising to see new important hacks like this one but definitely a very impactful one. What it makes very clear is that there’s going to be even more of an arms race when it comes to security. It’s not surprising companies are transforming. They’re having more and more of their activity that is happening online is happening in software. So there’s much more that can be done by attacking that software.

    What we do is we gather as many signals as possible across observability and monitoring. This is the way we come from and across security. What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack. This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.

    There’s something really interesting there when it relates to us (Datadog) in how we can solve the problem for our customers by bringing security earlier into the development process and tied in more to the operations and the development of the application. That’s definitely something that we’re investing in and something that we think is going to be a big area of investment for customers in the future.

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO Olivier Pomel
  • Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google has announced it was not impacted by the SolarWinds hack, one of the biggest cybersecurity breaches in US history.

    Corporations and government agencies were compromised by a supply chain attack involving SolarWinds’ Orion IT software. Hackers managed to compromise Orion IT, creating a trojanized version that left organizations using it open to attack.

    Despite using SolarWinds software, Google has announced it is not one of the companies impacted. Phil Venables, CISO, Google Cloud, confirmed the information in a blog post:

    Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event. We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.

    This is good news for Google, as well as its cloud customers.

  • FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    The FBI is trying to determine if JetBrains was compromised as part of the SolarWinds attack.

    The SolarWinds attack was one of the largest, most damaging hacks against US government and corporate entities. Some experts have said it will take months, or even years, to understand the extent of the damage.

    What made the SolarWinds attack so successful was that it was a supply chain attack. Rather than trying a brute force attack, or tricking organizations into installing suspect software, hackers compromised SolarWinds’ Orion IT monitoring and management software. Since this legitimate software is in use by countless organizations, by compromising it and installing a trojan directly in it, hackers were able to hack organizations using Orion IT.

    The FBI is now concerned a second application may have been compromised in a similar nature, according to Reuters. JetBrains makes a project management application called TeamCity. Like Orion IT, TeamCity is used by companies around the world, making it extremely important to determine if it was compromised as well.

    “We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”

  • Organizations Compromised in SolarWind Supply Chain Attack

    Organizations Compromised in SolarWind Supply Chain Attack

    FireEye has uncovered a sophisticated intrusion campaign against government and corporate organizations, using a supply chain attack.

    Supply chain attacks are one of the most sophisticated types of hacks in existence. While many hacks rely on convincing a target to download malicious software, a supply chain attack involves inserting malicious code in legitimate software before it’s distributed to customers, hence attacking the software supply chain.

    The attack in question uses a compromised update to SolarWind’s Orion IT monitoring and management software, with FireEye calling the compromised version “SUNBURST.” The trojanized version is incredibly sophisticated, using various methods to avoid detection, all the while communicating with third-party servers.

    “After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” writes FireEye’s team. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

    The trojan has enabled hackers to monitor email communications at the US Treasury and Commerce departments, according to Reuters. FireEye says victims have also “included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” Since the attack is actively in progress, FireEye suspects there will be additional victims as well.

    To mitigate the attack, “SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions here.”

    If an organization is not able to update, FireEye has outlined additional mitigation steps that should be taken.