Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: APT groups targeted a defense industrial base sector organization, why SBOMs are a great “first step,” and more.
This week’s top story
CISA alert: Open source tool used to steal sensitive data from a Defense Industrial Base sector organization
Advanced Persistent Threat (APT) groups compromised a defense firm and lurked on its network for months, according to a new U.S. Cybersecurity and Infrastructure Security Agency (CISA) Alert (AA22-277A). The groups compromised an administrator account used to manage the organization’s Microsoft Exchange Server and used an open-source toolkit called Impacket to expand their foothold in the network and compromise it, CISA said.
The known activity took place from November 2021 to January 2022, and was tracked by CISA with the help of a trusted third-party organization. They have not yet determined how these groups gained access to the network.
Once granted access, the APT groups used a compromised administrator account, allowing them to access the network’s EWS Application Programming Interface (API) twice, while connected to a VPN. After accessing the EWS API, the threat actors used Window Command Shell over a 3-day period, allowing them to interact with the organization’s network, including the collection of sensitive data. It was in this same period that the APT groups utilized Impacket to move laterally across systems. The Alert defines Impacket as a “Python toolkit for programmatically constructing and manipulating network protocols on another system.”
The response effort believes that the APT groups were able to maintain access to the network until January 2022 with the use of legitimate login credentials.
CISA’s Alert lists tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IoCs) related to this incident. CISA, along with the FBI and NSA, advise that any DIB sector or critical infrastructure organization take the necessary precautions listed in the Alert in order to manage this cyber threat.
Here are the stories we’re paying attention to this week…
SBOM: A first step in software supply chain security (Kuppingercole Analysts)
"Having a Bill of Materials is nothing new in the traditional Supply Chain Management (SCM) process, and it shouldn’t be any surprise and makes perfect sense to apply this same concept to software."
Complying with the Egypt Financial Cybersecurity Framework: What you should know (The State of Security)
The Egypt Financial Cybersecurity Framework uses the most common, and well-respected frameworks into one unified source. Rather than attempting to cross-reference all the frameworks to each other, the CBE choses the best practices from each, creating a new document for use in the financial sector.
The Federal Bureau of Investigation (FBI) and CISA have published a joint public service announcement. It assesses that malicious cyber activity aiming to compromise election infrastructure is unlikely to result in large-scale disruptions or prevent voting.
Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help enterprises secure their GitHub implementations. The solution will enable security and devops teams to scan GitHub configurations at scale and ensure the integrity of open-source software.
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk