News Bytes #42: The NPM Dependency Tree Is Compromised – Again
What happened with Vue.js framework should act as a cautionary tale for developers and security leads in development environments. This could easily have led to a severe attack, but instead they were only faced with this message:
This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.
Called peacenotwar, RIAEvangelist’s initial source code was added to the framework on March 8th. Almost no downloads occurred until March 15th – the day its npm maintainer was added as a dependency for the popular module node-ipc. As of the time of writing, peacenotwar has been downloaded almost 30,000 times. If this was a malicious piece of code, we could be looking at a very severe supply chain attack that no-one would have noticed until it was too late.
The question to take away from this is “what do I know about my supply chain?” and how you plan to improve your security posture in that regard. If you have any ideas, send in your answers and I will collate them in next week’s article on improving security in the supply chain.
Another Wiper Targets Ukrainian Infrastructure
Only one week after our deep dive into a presumably Russian-made wiper virus that targeted Ukrainian organizations, another one has appeared – CaddyWiper. Just like HermeticWiper and IsaacWiper, this effort seems to be a more resilient form of this malware type. Taking aim at user data and partition information for all attached drives, this virus effectively destroys systems.
Much like other wiper attacks against Ukraine, there seems to be only a few dozen systems that have been affected, according to ESET Research Labs. The security research team also noted that these attacks have been launched through GPO, implying that these networks were already compromised and the wiper was only released as a final destructive move on the network.
Veeam Users Should be on Red Alert
This week has also seen two critical vulnerabilities being discovered in the popular backup and recovery software Veeam. Listed as CVE-2022-26500 and CVE-2022-26501 on the CVE library, these both allow the adversary to execute malicious code remotely without authentication. This could lead to remote control of an entire system.
If you are using Veeam and haven’t already rolled out the updates, they can be found here on the Veeam website.
Ubisoft is compromised again… again
Although the details of the attack are thin on the group at the minute, the LAPSUS$ ransomware gang has claimed to have infiltrated Ubisoft. Reportedly, there are no concerns for gamers who are enjoying the French video game company’s top-rated titles such as Assassin’s Creed, the Tom Clancy series, and Far Cry.
This is the third time that Ubisoft has suffered from a cyberattack in the space of a year, leading cybersecurity professionals to ask “what is going on over there?”
CISSP Plans Changes to the Exam Format
For people still intending to take the CISSP in the near future, there are plans from ISC2 to change the way the exam works and add an additional 25 questions to each examination. From June 2022, this will increase the overall minimum and maximum questions that each candidate must answer to 125 and 175 respectively. This will also increase the overall exam time from three hours to four.
If you are going to be affected by this change, best of luck in taking your exam!
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.