DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
Legit Security | December 12, 2022
Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered a new class of software supply chain vulnerabilities that leverage artifact poisoning to attack underlying software development pipelines. The vulnerability was found in GitHub Actions, a platform for orchestrating and automating software development pipelines, and the vulnerability was identified in the highly popular programming language Rust. Many other GitHub Action projects remain potentially vulnerable and a technical disclosure blog including information to protect organizations from attack is available on Legit Security’s website.
The discovered pipeline vulnerability could allow any GitHub user to replace legitimate development artifacts with malicious ones, enabling attackers to modify source code, steal secrets and create CodeCov-like wide-reaching software supply chain attacks. Rust, an extremely popular programming language used by millions of developers, acknowledged and fixed the vulnerability after initial disclosure by the Legit Security Research Team.
GitHub Actions is part of the extremely popular GitHub source code management system at the heart of many organization’s software supply chains and used by software developers globally. The vulnerability affects the GitHub Actions artifacts storage mechanism, which is used to store and transfer build artifacts between software development build jobs. Due to a limitation in the cross-workflow artifact communication mechanism, vulnerable workflows cannot distinguish between legitimate project artifacts and artifacts that were created by the project’s forks or copies, allowing any user to create a fork, and then craft a malicious artifact that will be treated as a legitimate one.
“This is a different class of vulnerability that can lead to attacks and modification of the development pipeline itself, not just modification of the code. “A simple analogy could be made to a car assembly line. This is an attack on the assembly line itself that could include stealing sensitive parts, turning off certain steps, or substituting any valid part for a malicious one. It’s a powerful attack vector that gives cyber criminals a lot of options to inflict damage. In this case, the vulnerable targets are software supply chains that use GitHub Action.”
Liav Caspi, co-founder and CTO, Legit Security
The Legit Security Research Team also disclosed the security issue to the GitHub security team. GitHub responded by simply updating their API to include information that could help prevent this vulnerability. It should be noted that GitHub didn’t address the root cause of the issue, thus leaving many other GitHub Action projects vulnerable to the aforementioned software supply chain attacks. Legit Security’s technical disclosure blog includes important information on how to protect organizations from this type of attack. More information about general GitHub security best practices can also be found here.
Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.
PLATFORM SECURITY,SOFTWARE SECURITY
Omega Systems | January 10, 2023
On January 09, 2023, Omega Systems, a Pfingsten Partners portfolio company, announced the acquisition of The TNS Group, a leading IT services provider based in Stamford, CT. The acquisition strengthens and further expands Omega's footprint in the Northeast and key target industries, such as healthcare, fintech and non-profit.
The TNS Group has been delivering the offices in Stamford, Fairhaven, MA, New York City, and with technology, IT consulting, and cybersecurity services for over 25 years. In contrast, Omega has over 700 mid-market and enterprise customers in financial services, manufacturing, healthcare, nonprofit, and state/local government across the United States.
Bill Kiritsis, Omega Systems Founder & CEO, said, "The TNS Group is a valuable extension to our growing presence in the Northeast, and we're thrilled to welcome them to the Omega family." He further stated, "There are great synergies between our organizations – both in our corporate cultures and our commitment to customers – and we're eager to unite and accelerate our efforts to delivering the world-class IT, security and compliance services today's enterprises require."
(Source – PR Web)
TNS demonstrates Omega's third strategic acquisition in the past 12 months. Omega previously acquired PICS ITech and ACE IT Solutions, both in 2022. The company now employs over 185 total employees and a growing diverse managed services portfolio that includes managed IT compliance, managed cybersecurity, cloud hosting services, backup and disaster recovery, NOC and SOC services and strategic IT consulting.
About Omega Systems
Omega Systems is a major managed service provider (MSP) and managed security service provider (MSSP) for mid-sized businesses in the financial services, government, manufacturing, healthcare, and professional services industries. Omega's customer-first solutions are based on its approach to personalized service, designed to address the growing regulatory, compliance and data processing needs of the current highly regulated and security-conscious businesses.
About The TNS Group
The TNS Group, a Managed Service Provider (MSP), offers cloud solutions, managed security, business continuity, and IT consulting. Its portfolio of solutions helps develop business strategies through technology. It aims to bring value to its clients by simplifying innovative technologies and offering layers of expertise and flexibility to achieve overall goals. TNS serves clients in the fintech, healthcare, nonprofit and shipping/distribution industries.
DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
Bitdefender | November 03, 2022
Bitdefender, a global cybersecurity leader, today unveiled the first real-time chat protection capabilities for mobile-based instant messaging applications. Bitdefender Chat Protection immediately alerts users if malicious links are received or sent during live sessions over the world’s most popular chat applications including WhatsApp, Facebook Messenger, Telegram and Discord. A true industry innovation, the new capabilities help protect users from increased cybercriminal activities targeting mobile devices.
Chat Protection is incorporated into Bitdefender Mobile Security for Android through Bitdefender Scam Alert technology, used by consumers worldwide for monitoring, detecting and stopping link-based attacks delivered via messaging applications, notifications, and SMS text messages. Chat Protection continuously monitors chat sessions alerting users of suspicious links that might attempt to steal financial data, credentials and other sensitive information.
When malicious links are detected during chat sessions, the user receives a warning along with information about associated risks and a suggested course of action. If warnings are ignored, built-in web protection technologies prevents the user from navigating to the malicious webpage.
More than two billion people use WhatsApp and more than one billion use Facebook Messenger globally. At the same time, malware and scams sent via instant messaging apps and SMS text message remain one of the top threats to mobile users in 2022. According to the 2021 Bitdefender Consumer Threat Landscape Report, spam and untrusted domains account for a combined 85% of detected malicious URLs.
“Mobile threats continue to increase, and cybercriminals have evolved beyond email-based phishing attacks to include SMS text messages (smishing) and popular instant messaging applications. “With the new capabilities in Bitdefender Mobile Security for Android, users can rest easy and chat safely knowing they have strong, real-time protection against malware, malicious links and scams across their Android devices.”
Ciprian Istrate, senior vice president of operations, Consumer Solutions Group at Bitdefender
Key Features and Benefits
Bitdefender Mobile Security for Android with Chat Protection customers benefit from:
Preemptive alerting for financial and data loss risks -- When users receive a suspicious link in messaging applications, notifications or text messages they are notified to prevent accessing or sharing the link.
Enhanced protection for friends and family -- If a potentially dangerous link is inadvertently shared, users have the options to recall or delete the message.
Detection of sophisticated social engineering -- Phishing attempts that rely on human curiosity, urgency, and impersonation are recognized and flagged by Bitdefender offering users an additional layer of protection.
Bitdefender provides cybersecurity solutions with leading security efficacy, performance, and ease of use to enterprise organizations and consumers. Guided by a vision to be the world’s most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience.