The insatiable global demand for open source code packages has led to a triple-digit year-on-year surge in upstream software supply chain attacks, according to Sonatype. The supply chain management specialist compiled its 2021 State of the Software Supply Chain report from publicly available and proprietary data. It claimed that global developers would borrow over 2.2 trillion open-source packages or components from third-party ecosystems to accelerate time-to-market. This includes Java downloaded from the Maven Central Repository, Python packages…

A Sonatype survey also found a 650% year-over-year increase in supply chain attacks aimed at upstream public repositories. Image: Shutterstock/LeoWolfert The seventh annual State of the Software Supply Chain Report from Sonatype found that developers think software management practices are in much better shape than what conditions on the ground indicate. Must-read developer content The analysis found that the majority of respondents use an ad hoc approach to software supply chain management for most parts…

Nearly a third (29%) of Brits feel unsafe while using the internet, according to a new report by Veriff. The survey of 2000 UK citizens revealed a range of factors that have caused this sentiment. One of these is rising scam attempts, with over two-fifths (42%) of those surveyed experiencing a package delivery scam during the past three months. The next most common type of scam is those relating to tax rebates (25%) followed by TV licenses…

The external attack surface of Fortune 500 companies contains known, exploitable vulnerabilities and security issues, according to new research from Cyberpion. The Israeli startup compiled its findings from a “single-pass scan” of the public and internet-facing assets of every Fortune 500 company in the first half of 2021. Nearly three-quarters (73%) of these organizations’ IT infrastructure is now located externally, but this outsourcing trend appears to have created a significant visibility gap. Some 24% of these…

Microsoft fixed over 60 CVEs in this month’s Patch Tuesday update round, including a zero-day being actively exploited in the wild. First made public last week, CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML engine. A second zero-day, which was publicly disclosed but not actively exploited, is CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS. It is labeled “important” by Microsoft and only impacts Windows 7 and Windows Server 2008. However, these…

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support. Executive Summary Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack. From a cyber-intelligence perspective, one of the biggest challenges is…