The Week in Security: Software supply chain attack mines diamond industry, npm security boosted

This week: An Iranian APT group carried out a data wiping software supply chain attack globally. Also: GitHub has introduced new security features for its npm repository.

This Week’s Top Story

Iranian APT group targets diamond industry with a data-wiping software supply chain attack

Advanced persistent threat (APT) actors in Iran have been busy launching cyber attacks globally this past year. Now, a new incident has been added to 2022’s laundry list of Iranian-linked attacks. The Hacker News reports that researchers at ESET have been tracking Agrius, an Iranian APT group, and found that since February of 2022, the group has been launching data wiper attacks on diamond industry entities in South Africa, Israel, and Hong Kong.

These wiper attacks were deployed thanks to a software supply chain attack Agrius carried out targeting an Israeli suite developer. By targeting the developer’s software update mechanism, Agruis was then able to target any customer that used the Israeli suite developer. Israel’s victims included HR firms, IT consulting companies, and a diamond wholesaler. In South Africa, a diamond industry entity was targeted, and similarly in Hong Kong, a jeweler was also targeted.

The wiper malware that Agrius used in these incidents is known as Fantasy, and ESET researchers believe the group built it off of a similar wiper known as Apostle, first discovered by researchers at SentinelOne. While Apostle was built with the intention of being a data wiper that masquerades itself as ransomware, Fantasy does not have this purpose. ESET researchers believe that Agrius had the sole intention of Fantasy being only a data wiper, rather than holding ransom against its victims.

News Roundup

Here are the stories we’re paying attention to this week…

New npm features for secure publishing and safe consumption (GitHub Blog)

"We are excited to announce two new features for a safer npm package ecosystem experience: granular access tokens and the npm code explorer."

Apple launches end-to-end encryption for iCloud data (Tech Crunch)

Apple launched Advanced Data Protection, a new, optional end-to-end encryption scheme that prevents data in a customer’s iCloud from being decrypted on an “untrusted” device.

Russia's second-largest bank reveals it is facing the largest DDoS attack in its history (Security Affairs)

State-owned VTB Bank, the second-largest financial institution in Russia, says it is facing the largest DDoS (distributed denial of service) attack in its history. The pro-Ukraine collective IT Army of Ukraine has claimed responsibility.

Multiple vulnerabilities in Google Android OS could allow for arbitrary code execution (Center for Internet Security)

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for arbitrary code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

Want to detect Cobalt Strike on a network? Look to process memory (The Register)

Enterprise security pros can detect malware samples in environments that incorporate the highly evasive Cobalt Strike attack code by analyzing artifacts in process memory, according to researchers with Palo Alto Networks' Unit 42 threat intelligence unit.

Google Chrome flaw added to CISA patch list (Dark Reading)

Although details about its real-world impact are vague, the Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chrome flaw to its list of Known Exploited Vulnerabilities Catalog. CISA has given government agencies until Dec. 26 to get a patch in place.