INFOSEC IN BRIEF The US Senate passed a resolution in July to force the US Cybersecurity and Infrastructure Security Agency (CISA) to publish a 2022 report into poor security in the telecommunications industry but the agency has not delivered the document.
Senator Ron Wyden (D-OR), who has been pushing for the report’s release since it was written, last week sent yet another strongly-worded letter to the Department of Homeland Security (DHS), CISA’s parent agency, to point out that keeping the report secret is detrimental to the entire American cybersecurity community. Senator Mark Warner (D-VA) co-signed the letter.
“The continued suppression of a report identifying serious vulnerabilities of the U.S. telecommunications sector undermines the public’s understanding of these threats and stymies an important public debate on a path forward,” the pair wrote in their letter to DHS Secretary Kristi Noem. “We urge you to ensure the immediate public release … and to call for the FCC to establish mandatory minimum cybersecurity standards for the communications sector.”
The Senators noted that their chamber voted unanimously to require CISA to release the report but the agency “has inexplicably failed” to do so despite promising to do so shortly after the vote.
Wyden and Warner also reminded Noem of the Salt Typhoon hack of 2024 (which keeps looking worse) that targeted US telecom firms, plus the recent hackof a company that provides software and networking equipment, to illustrate the severity of the situation.
Whether CISA will finally spill the beans is anyone’s guess. They’ve already proven an act of Congress won’t force their hand, and the senators didn’t threaten them any further in the latest letter.
Logitech suffers zero day attack
Computer peripheral specialist Logitech last Friday published a regulatory filing [PDF] in which it admits to falling victim to a zero-day attack that led to exfiltration of data.
“Logitech believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system,” the filing reads. The company patched the zero-day vulnerability “following its release by the software platform vendor.”
The company isn’t sure what data it lost, but said it “likely included limited information about employees and consumers and data relating to customers and suppliers.”
“Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system,” the filing states. – Simon Sharwood
Attacker stuffs npm with thousands of junk packages
If you thought those prior npm supply chain attacks were bad, you ain’t seen nothing like the latest discovery.
According to security researcher Paul McCarty at software supply chain security outfit SourceCodeRed, the npm worm he’s dubbed “IndonesianFoods” has published more than 78,000 malicious packages to the npm registry, nearly doubling the amount of known malicious packages in npm.
The attack appears to be a long-term, coordinated campaign, McCarty suggested. It’s not clear who’s behind the newly-discovered worm, but they appear to be thorough, using 55 npm user accounts created specifically to deploy the packages to the registry, which hide under the guise of legitimate Next.js applications.
Once installed, the malicious packages self-replicate, flooding npm registries with junk packages that can be used to further weaponize it to spread additional malware. McCarty advises everyone who relies on npm packages to give this list a look for any potential malicious content in their systems, and be very careful.
Lumma Stealer returns
It was nice while the FBI’s disruption of the Lumma Stealer network lasted, but it appears to be back.
Trend Micro reported an uptick in Lumma activity late last month, and said the stealer now uses different methods and has become harder to detect.
The new variant uses browser fingerprinting to collect system data, and masks its initial infection by hiding within Microsoft Edge Update installers and using process injection to work its way into Chrome browser processes.
“This technique allows the malware to execute within the context of a trusted browser process, effectively bypassing many security controls and appearing as legitimate browser traffic to network monitoring systems,” Trend Micro noted.
DoorDash breached again
Food delivery service DoorDash has leaked data, for the third time.
The outfit last week sent breach notice messages to customers, informing them someone got into the company’s systems and made off with user info including names, physical and email addresses, and phone numbers.
According to Bleeping Computer, a DoorDash employee falling victim to a social engineering scam was the cause of the incident. In 2022 the company fell victim to phishing. DoorDash blamed a 2019 leak of customer data on problems at a third-party service provider.
The delivery outfit’s breach notification letter says DoorDash can find no suggestion that attackers have used the purloined personal information to perpetrate fraud or identity theft. Nonetheless, the company is advising customers to be wary of unsolicited communications that include the stolen info and being extra careful if they receive email attachments from mysterious sources. ®