Here are the top security stories from recent weeks.
- Codecov Affected by Supply-Chain Attack; Notifies Customers
- Microsoft Warns of 25 Critical Memory-Allocation Vulnerabilities in IoT Devices
- Babuk Gang to Focus on Data-Theft Extortion instead of Ransomware
- Information of 22 Million ParkMobile Customers Released for Free on Hacking Forum
- Musical Instrument Marketplace Reverb Discloses Data Breach
Code coverage and software auditing company Codecov recently suffered a supply-chain attack where a threat actor gained access to its Bash Uploader script, altering it to exfiltrate sensitive information from customer environments. Threat actors gained credentials to modify the script by taking advantage of weaknesses in Codecov’s Docker image creation process.
Codecov discovered the compromise on April 1 and began notifying affected customers and providing IOCs on April 30. However, investigation shows the attack first began unnoticed in late January. U.S. federal authorities have also now joined the investigation. Hundreds of customer networks have reportedly been hacked due to this supply-chain attack, drawing comparisons to the SolarWinds attacks. Codecov has over 29,000 enterprise customers including big names like GoDaddy and Procter & Gamble.
Microsoft’s Azure Defender for IoT security research group discovered 25 critical memory-allocation vulnerabilities that can be used to execute malicious code. These vulnerabilities, dubbed “BadAlloc,” are present across IoT and industrial devices, including medical IoT devices and industrial control systems. Microsoft states it has not seen evidence of these vulnerabilities being exploited in the wild and has published recommended mitigations. The Cybersecurity Infrastructure and Security Agency (CISA) has published an advisory listing all affected devices.
The Babuk hacker group has posted a message stating their intent to leave the ransomware-as-a-service (RaaS) and focus on extortion without encrypting data. A few days ago, operators of the Babuk group posted then quickly removed a short farewell message stating their intent to shut down operations and release the source code for their malware. The Babuk gang began operations at the beginning of the year and recently hacked the Washington D.C. Metropolitan Police Department, stealing more than 250 gigabytes of data and publishing some of it.
Personal information for nearly 22 million ParkMobile customers has been released on a popular hacking forum, available for anyone to download for free. Data includes names, mobile numbers, email addresses, bcrypt hashed passwords, mailing addresses, license plate numbers, and vehicle information of customers of the popular parking app. ParkMobile issued a notification of the security incident in late March. Customers can visit Have I Been Pwned to check if they were affected by the ParkMobile breach.
Reverb, the largest online musical instrument marketplace, recently disclosed a data breach exposing 5.6 million records containing customer names, addresses, phone numbers, and email addresses. High-profile sellers affected include members of Black Sabbath, Smashing Pumpkins, and Nine Inch Nails. The breach occurred after an unsecured database containing customer information was exposed online. Reverb has already secured the database and sent out notifications to affected customers.
To learn about secure access service edge (SASE) and how it can protect organizations from exposure of sensitive information, malware, and web-based attacks, download our SASE with Bitglass technical brief below.
*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Jeff Birnbaum. Read the original post at: https://www.bitglass.com/blog/bss-another-supply-chain-attack-microsoft-vulnerabilities