New Attack Technique ‘Sleepy Pickle’ Targets Machine Learning Models

June 13, 2024 at 10:25AM The discovery of a new attack method called Sleepy Pickle poses a significant security risk to machine learning (ML) models. The attack targets ML models by corrupting the Pickle format, allowing for the insertion of payloads to modify model behavior and output. It is recommended to load models from trusted … Read more

AI Company Hugging Face Notifies Users of Suspected Unauthorized Access

June 1, 2024 at 03:48AM AI company Hugging Face detected unauthorized access to its Spaces platform, affecting users creating, hosting, and sharing AI and machine learning apps. The company is revoking tokens and investigating the breach’s impact on users. The incident underscores the increased risk to AIaaS providers, with previous security flaws exposing potential supply … Read more

UK Military Data Breach a Reminder of Third-Party Risk in Defense Sector

May 8, 2024 at 07:17PM The breach of data on over 225,000 UK military personnel from a payroll contractor highlights the security risks posed by external contractors to defense entities. This incident, the second in a year, underscores the vulnerable underbelly of defense supply chains. Calls for mandatory minimum cybersecurity standards for defense and critical … Read more

UK opens investigation of MoD payroll contractor after confirming attack

May 8, 2024 at 07:24AM The UK Ministry of Defence faced a cyberattack on its payroll system. While no data removal is confirmed, personal information of armed forces personnel was accessed. The system operator, SSCL, faces scrutiny. Up to 272,000 people may be affected. Concerns about Chinese involvement are raised, although formal attribution is pending. … Read more

Home Depot Hammered by Supply Chain Data Breach

April 8, 2024 at 05:16PM Home Depot confirmed employee data compromise via a third-party software vendor, with a “small sample” of employees’ names, corporate IDs, and email addresses exposed. The incident underlines the importance of choosing SaaS vendors with robust cybersecurity measures. Experts recommend testing vendors’ workflows with non-production data and conducting regular security best … Read more

Millions of Malicious Repositories Flood GitHub

March 4, 2024 at 08:31AM Cyberattackers have created over 100,000 malicious repositories on GitHub, with some estimates reaching over a million. They use automation to copy, infect, and reupload existing repositories, tricking developers into downloading malware. GitHub’s security mechanisms remove most fakes, but some still slip through. Organizations need policies to protect against these attacks. … Read more

NIST Cybersecurity Framework 2.0: 4 Steps To Get Started

March 1, 2024 at 02:33PM The latest draft of the NIST Cybersecurity Framework introduces significant changes, including a new “Govern” function and expanded best practices. Organizations must assess the impact on their cybersecurity programs and consider factors such as supply chain security. Utilizing NIST resources, discussing the “Govern” function with leadership, and re-evaluating vendor support … Read more

ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware

February 23, 2024 at 10:13AM A critical security vulnerability in ConnectWise ScreenConnect has been identified, with potential for a large-scale supply-chain attack. Exploitation can allow hackers to access numerous servers and endpoints, including those of managed service providers. Multiple CVEs have been disclosed, with active exploitation reported. Organizations are advised to apply patches and monitor … Read more

Ubuntu ‘command-not-found’ tool can be abused to spread malware

February 14, 2024 at 11:00AM A logic flaw in Ubuntu’s ‘command-not-found’ package suggestion system allows attackers to promote malicious Snap packages, posing significant supply chain risks for Linux users. Attackers can exploit typos, unreserved snap names, and unclaimed aliases to trick the utility into suggesting harmful packages. Mitigation steps include package authenticity verification and developer … Read more

Getting off the Attack Surface Hamster Wheel: Identity Can Help

January 10, 2024 at 07:22AM IT professionals have developed a deep understanding of the enterprise attack surface and the challenges it poses for cybersecurity. The expansion of the attack surface due to cloud services, remote working, IoT, supply chains, AI, and social networking requires a shift in security strategy. Prioritizing digital identities and investing in … Read more