Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On August 9, F5 discovered that multiple systems were compromised by what it is calling a "highly sophisticated nation-state threat actor" who maintained "long-term, persistent access to certain F5 systems". These included the BIG-IP product development environment and engineering knowledge management platform. That access allowed for the exfiltration of portions of F5's BIG-IP source code as well as information about undisclosed BIG-IP vulnerabilities F5 was working on.

This blog discusses PhishinGit, a phishing campaign uncovered by CYJAX that abuses GitHub.io pages to distribute malware disguised as Adobe downloads. It explains how threat actors used Browser-in-the-Browser (BitB) techniques, Dropbox-hosted payloads, and anti-analysis JavaScript to evade detection. The blog also explores the attack chain, observed mitigations, MITRE ATT&CK mapping, and indicators of compromise (IOCs) to help organisations identify and defend against similar threats.

Google’s Mandiant has published guidance on defending against an ongoing wave of social engineering attacks targeting organizations’ Salesforce instances. The organized criminal gang tracked by Google as “UNC6040” has been using voice phishing attacks to trick employees into granting access.

Most modern sites run significant third-party code in the user’s browser. The Web Almanac 2022 reports that the top 1,000 sites load an average of 43 third-party domains on mobile and 53 on desktop, expanding the surface for JavaScript injection attacks and supply-chain tampering. In parallel, real e-commerce compromises continue to surface. Sansec has identified more than 70,000 websites that suffered Magecart e-skimming over time.

Adversaries have shifted their tactics away from traditional malware and toward approaches that exploit the very tools organizations rely on. Instead of introducing malicious files that can be blocked outright, attackers weaponize legitimate applications such as built-in Windows utilities, remote monitoring and management (RMM) tools, file transfer software, and administrative programs.

As Jaguar Land Rover (JLR) announces a return to operations after a six-week disruption, a lengthier, less publicised UK-based cyber-attack recovery remains unresolved. Perhaps the relative quiet is because Colt Technology Services, a critical connectivity and trading network serving major banks and stock exchanges in ~30 countries, is not a household name like JLR, Co-Op, or M&S. Or perhaps it’s because the narrative doesn’t fit the now-expected Scattered Spider storyline.

Authentication issues seem like low-level attacks. But authentication today – especially API authentication – can be more difficult than people expect. Companies rely on APIs to carry sensitive information every day. If access to those APIs is not properly secured, all the sophisticated security solutions companies use to protect their data elsewhere are completely undermined.