Enlarge (credit: Getty Images)

Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said.

The attack compromised the software build system used to create and distribute Windows and macOS versions of the app, which provides both VoIP and PBX services to “ 600,000+ customers ,” including American Express, Mercedes-Benz, and Price Waterhouse Cooper. Control of the software build system gave the attackers the ability to hide malware inside 3CX apps that were digitally signed using the company’s official signing key. The macOS version, according to macOS security expert Patrick Wardle, was also notarized by Apple, indicating that the company analyzed the app and detected no malicious functionality.

In the making since 2022

“This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties,” Lotem Finkelstein, Director of Threat Intelligence & Research at Check Point Software, said in an email. “This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.”

Enlarge / Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

Researchers have discovered yet another set of malicious packages in PyPi , the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords.

Check Point Research, which reported its findings Monday , wrote that it didn't know how many people had downloaded the 10 packages, but it noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi through the pip command is a foundational step for starting or setting up many Python projects. PePy , a site that estimates Python project downloads, suggests most of the malicious packages saw hundreds of downloads.

Such supply-chain attacks are becoming increasingly common, especially among open source software repositories that support a wide swath of the world's software. Python's repository is a frequent target, with researchers finding malicious packages in September 2017 ; June , July , and November 2021; and June of this year. But trick packages have also been found in RubyGems in 2020 , NPM in December 2021 , and many more open source repositories.

Enlarge (credit: Drew Angerer | Getty Images )

The hackers behind one of the worst breaches in US history read and downloaded some Microsoft source code, but there’s no evidence they were able to access production servers or customer data, Microsoft said on Thursday. The software maker also said it found no evidence the hackers used the Microsoft compromise to attack customers.

Microsoft released those findings after completing an investigation begun in December, after learning its network had been compromised. The breach was part of a wide-ranging hack that compromised the distribution system for the widely used Orion network-management software from SolarWinds and pushed out malicious updates to Microsoft and roughly 18,000 other customers.

The hackers then used the updates to compromise nine federal agencies and about 100 private-sector companies, the White House said on Wednesday . The federal government has said that the hackers were likely backed by the Kremlin.

Read 7 remaining paragraphs | Comments

Enlarge / Side view of colorful St. Basil's Cathedral in Moscow on Red Square in front of the Kremlin, Russia. (credit: Getty Images )

Hackers working for the Russian government were “likely” behind the software supply chain attack that planted a backdoor in the networks of 180,000 private companies and governmental bodies, officials from the US National Security Agency and three other agencies said on Tuesday.

The assessment—made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence—went on to say that the hacking campaign was a “serious compromise that will require a sustained and dedicated effort to remediate.”

Russia, Russia, Russia

The statement is at odds with tweets from US President Donald Trump disputing the Russian government’s involvement and downplaying the severity of the attack, which compromised the software distribution system of Austin, Texas-based SolarWinds and used it to push a malicious update to almost 200,000 of its customers.

Read 10 remaining paragraphs | Comments