Kick back with us and dig into a selection of the best articles, code, and projects we found this past month.

Update on the ViaSat satellite network cyberattack

We start this months news with an update on the ViaSat attack. We have been tracking this story in our updates from March and April. One of the first signs of the hack occurred when more than 5,800 wind turbines belonging to the German energy company Enercon were knocked offline. Russia is now accused of being responsible for the mysterious satellite hack - Ukraine’s military was the primary target and EU countries were collateral damage the article explains. >read<

Interactive Kubernetes Security Learning Playground

Learning and understanding Kubernetes security in a safe, practical, and efficient way can be challenging. Kubernetes Goat may just have solved this problem not only for security researchers but also for DevOps teams, and anyone interested in learning Kubernetes security. >read<

AWS Targeted by a Package Backfill Attack

AWS is not only the largest provider of cloud infrastructure in the world but also a major contributor to open-source components. The folks at WhiteSource have identified a targeted attack on some discontinued AWS packages. The malicious actors use a method called backfill attack. >read<

Ransomware-as-a-service: Understanding the cybercrime gig economy

The cybercriminal economy - a network of players with a variety of skills, tools, and techniques - is evolving. The industrialization of attacks has progressed from malicious actors using off-the-shelf tools - to attackers being able to purchase network access and the payloads they deploy. Microsoft the RaaS affiliate model and how to protect yourself explains in this interesting article. >read<

How the RaaS affiliate model enables ransomware attacks
How the RaaS affiliate model enables ransomware attacks

Five Eyes issue a warning to Managed Service Providers

Members of the Five Eyes (FVEY) intelligence alliance issued a warning for managed service providers and their customers regarding supply chain attacks. The advisory states that if an attacker can compromise a service provider, then the resulting malicious activity could affect the provider’s infrastructure, and its customers. While the document is specifically issued to service providers, it highlights proper security measures applicable for any business handling sensitive data. >read<

PyPI logo
PyPI logo

Software Supply Chain Attack I: Typosquatting

Typosquatting occurs when an attacker takes a popular framework or library, adds malicious code, and publishes it in a package repository under a similar name to the original. And this is exactly what happened in the Python Package Index (PyPI). The linked article goes over the infection process and how to stay safe from such attacks. >read<

Software Supply Chain Attack II: Malicious Code

The Python module “ctx” that gets downloaded over 20,000 times a week was replaced with a malicious version that stole the developer’s environment variables. This “new” version exfiltrates the developer’s environment variables, to collect secrets like Amazon AWS keys and credentials. >read<

Strategies to communicate the value of a security program

George Do, CISO and former NASA security engineer, gave the keynote address at Black Hat Asia this week about his go-to model for measuring security effectiveness - and how to influence others in the organization. We appreciate the approach to winning hearts and minds as a security professional. >read<

AWS Security Maturity Model

Good advice on how to improve the security maturity in AWS by breaking things down into the following phases: quick wins, foundational, efficient, and optimized. The website includes many videos and whitepapers. >read<

Attackers stole login details of 100K npm users

GitHub reported that an attacker stole the login credentials of roughly 100,000 npm accounts in mid-April using stolen OAuth app tokens issued by Heroku and Travis-CI. The threat actor escalated their access using a compromised AWS access key, acquired after downloading multiple private npm repositories using the stolen OAuth user tokens in the initial stage of the attack. >read<