Welcome to the latest copy of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we analyze the wild world of security.

Earlier this week, several major US government agencies — including the Departments of Homeland Security, Commerce, Treasury, and State — apparent that their agenda systems had been breached by hackers in what’s fast axis out to be a highly adult supply chain attack.

Such attacks often work by first compromising a third-party vendor with a affiliation to the true target.

Infiltrating a third-party provider that has access to their customers’ networks also vastly increases the scale of an attack, as a acknowledged break-in opens up access to all those businesses that rely on it, making them all accessible at once.

In this case, the attackers turned out to SolarWinds, a Texas-based IT basement provider, to inject awful code into its ecology tool that was then pushed to nearly 18,000 of its barter as software updates.

webrok
SolarWinds counts several US federal agencies and Fortune 500 firms among its clients.

According to cybersecurity firm FireEye, which also appears to have been a victim of the same attack, called it a meticulously planned espionage attack that may have been advancing at least since March 2020.

Although there hasn’t been any accurate affirmation tying the attacks to a specific threat actor, multiple media letters have pinned the intrusions on APT29 (aka Cozy Bear), a hacker group associated with Russia’s adopted intelligence service.

It may take months to fully accept the across and depth of the hack, but the SolarWinds adventure once again highlights the severe after-effects of compromising a supply chain.

Of course, supply chain attacks have happened before. What’s more apropos here is how little has been done since then to anticipate them from accident again.

What’s trending in security?

Signal added abutment for encrypted group calls, the Zodiac Killer cipher was cracked after 51 long years, and a former Cisco architect was bedevilled to 24 months in prison for deleting 16,000 Webex accounts after authorization.

  • The Zodiac Killer cipher was absurd after 51 years. “It was an agitative action to work on, and it was on many people’s ‘top baffling ciphers of all time lists,'” said Dave Oranchak, one of the three men who absurd the encoded message. [Ars Technica]
  • Hackers are accepting artistic with web skimmers advised to steal acquittal info from users when they visit a compromised arcade website. Researchers found bent gangs experimenting with autumn the awful code in CSS style sheetsand social media buttons. [ZDNet]
  • GitHub found that aegis vulnerabilities in open-source projects often go undetected for more than four years before being disclosed. What’s more, 17% of all vulnerabilities in software were carefully buried for awful purposes. As they say, open-source does not equal secure. [GitHub]
  • Apple and Cloudflare joined hands for a new action called Oblivious DNS-over-HTTPS (ODoH) that hides the websites you visit from your ISP. [Ars Technica / Gizmodo]
  • Former Cisco architect Sudhish Kasaba Ramesh, 31, was bedevilled to 24 months in prison for deleting 16,000 Webex accounts after authorization, costing the aggregation more than $2.4 million, with $1,400,000 in agent time and $1,000,000 in chump refunds. [ZDNet]
  • Secure messaging app Signal added abutment for encrypted group video calls with up to five participants. [Signal]
  • A German court forced encrypted email provider Tutanota to create a backdoor that allows it to adviser an individual’s inbox in affiliation with a bribery case. [CyberScoop]
  • Just a couple of weeks ago, we abstruse that the aggregation behind the X-Mode SDK had been affairs chump area data to government contractors. Now Forbes’ Thomas Brewster has appear how surveillance vendors like Rayzone and Bsightful are siphoning area data from smartphones with the help of tools used to serve mobile ads on third-party apps. [Forbes]
  • Operatives with an Arabic-speaking hacking group, known as MoleRATs, used boilerplate technology casework like Facebook and Dropbox to abstruse their awful action and abjure data from targets across the Middle East. [Cybereason]
  • Critical flaws apparent in dozens of GE Healthcare radiological accessories could allow an antagonist to gain access to acute claimed health information, alter data, and even accommodation the machines’ availability. Worse, these accessories are anchored with hardcoded absence passwords that could be exploited to access acute accommodating scans. [CyberMDX]
  • Apple, Google, Microsoft, and Mozilla banned a agenda affidavit being used by the Kazakhstan government to ambush and break HTTPS traffic, after the country began acute citizens in its basic of Nur-Sultan to install the affidavit on their accessories to access adopted internet casework as part of a cybersecurity exercise. [ZDNet]
  • The past fortnight in data breaches, leaks, and ransomware: European Medicines Agency, Foxconn, Intel’s Habana Labs, Kmart, Kopter, Netgain, Randstand, Spotify, Vancouver’s TransLink, UiPath, 45 million images of X-rays and other medical scans, and the claimed data of 243 actor Brazilian citizens.

Data Point

According to latest stats from the National Vulnerability Database, 2020 saw a record number of appear flaws, with as many as 17,537 bugs recorded during the year, hardly up from 17,306 in 2019.
webrok
Over the past 12 months, 4,177 high-severity vulnerabilities, 10,767 medium-severity vulnerabilities, and 2,593 low-severity vulnerabilities were reported. In 2019, there were 17,306 flaws published: 4,337 high-severity, 10,956 medium-severity, and 2,013 low-severity vulnerabilities.

That’s it. See you all in two weeks. Stay safe!

Read next: Christmas is better with Tom Vasel’s YouTube board game reviews