CyberSecurity news

FlagThis - #supplychainsecurity

Jessica Lyons@theregister.com //

Abandoned AWS S3 Buckets Facilitate Software Supply Chain Hijacking

Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
  • : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
  • www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
  • www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
  • www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
  • www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
  • SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
  • Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
  • darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.
Classification:
info@thehackernews.com (The Hacker News)@The Hacker News //

PyPI Introduces Project Archival to Enhance Supply Chain Security

PyPI (Python Package Index) has launched a new 'Project Archival' feature, empowering maintainers to mark projects as archived. This signals to users that these projects are no longer actively maintained or expected to receive updates, including crucial security fixes. While archived projects remain installable, the new status alerts developers to the risk of relying on unmaintained packages, thereby promoting more responsible dependency management. Maintainers can archive projects via their settings page on PyPI, prompting a prominent notice to appear on the project's main page.

The new archival system seeks to improve supply chain security by explicitly communicating the maintenance status of projects. This builds on PyPI's existing "project quarantine" framework introduced in late 2024, which allows administrators to mark suspicious projects and prevent their installation. By enabling maintainers to clearly denote the state of archived projects, this feature enhances visibility into the lifecycle of packages. PyPI recommends that package developers release a final version before archiving, including a detailed update in the project description to provide additional context about its status.

The archival process is reversible, giving project owners the option to resume maintenance if desired. As part of broader efforts to enhance project lifecycle management within PyPI, further project status labels such as "deprecated" or "unmaintained" may be introduced, along with updates to PyPI's public APIs to allow for easier retrieval of project status information. The goal is to provide a more structured and informative ecosystem for Python developers.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: This website contains the latest news about cybersecurity incidents and attacks.
  • The Hacker News: This website contains the latest news about cybersecurity incidents and attacks.
  • www.bleepingcomputer.com: This website contains the latest news about cybersecurity incidents and attacks.
  • gbhackers.com: The Python Package Index (PyPI) has introduced a new feature that allows maintainers to mark projects as archived, signaling that the project is no longer actively maintained or expected to receive updates.
  • BleepingComputer: The Python Package Index (PyPI) has announced the introduction of 'Project Archival,' a new system that allows publishers to archive their projects, indicating to the users that no updates are to be expected.
  • ciso2ciso.com: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages – Source:thehackernews.com
  • cyberpress.org: PyPI Implements Project Archival to Block Exploits Malicious Package
  • Cyber Security News: PyPI Implements Project Archival to Block Exploits Malicious Package
  • blog.pypi.org: Trail of Bits: PyPI Now Supports Project Archival More: The Hacker News: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages
  • ciso2ciso.com: PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages – Source:thehackernews.com
  • www.cysecurity.news: PyPI's New Archival Feature Addresses a Major Security Flaw
  • Help Net Security: DeepSeek’s popularity exploited to push malicious packages via PyPI
Classification:
MalBot@malware.news //

Illumina DNA Sequencer Vulnerable BIOS Found

Researchers at Eclypsium have uncovered critical security flaws in the Illumina iSeq 100 DNA gene sequencer. The device utilizes an outdated BIOS firmware implementation, employing Compatibility Support Mode (CSM) without Secure Boot or standard firmware write protections. This vulnerability allows an attacker with system access to overwrite the firmware. This could potentially disable the device entirely or install persistent malware.

The identified security gaps underscore the substantial risks associated with reusing commodity hardware and neglecting regular firmware updates. The lack of modern security measures in the iSeq 100 presents a major supply chain vulnerability. This also highlights the need for stringent security protocols and configuration management to protect devices that handle sensitive genomic data, as outlined by NIST guidelines published in 2023.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • malware.news: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • eclypsium.com: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • : Eclypsium identified BIOS/UEFI vulnerabilities in a popular DNA gene sequencer by healthcare technology vendor Illumina.
  • The Hacker News: Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers
  • BleepingComputer: BIOS/UEFI vulnerabilities in the iSeq 100 DNA sequencer from U.S. biotechnology company Illumina could let attackers disable devices used for detecting illnesses and developing vaccines.
  • gbhackers.com: Critical BIOS/UEFI Vulnerabilities Allow Attackers To Overwrite System Firmware
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • ciso2ciso.com: Insecure Medical Devices — Illumina DNA Sequencer Illuminates Risks
Classification:
  • HashTags: #Illumina #BIOS #SupplyChain
  • Company: Illumina
  • Target: Illumina Sequencers
  • Product: iSeq 100
  • Feature: BIOS Vulnerability
  • Type: Vulnerability
  • Severity: Major

Blogs

Research Tools