Cybersecurity

While public facing websites are vital for today’s commerce, they also create a security risk that requires on-going diligence. In today's threat landscape, website injection attacks are not as enduringly popular to discuss as ransomware or phishing attacks. However, OWASP lists them as the third most significant risk to web application security, after access control and cryptography.

WaterISAC is tracking open-source reports describing an ongoing supply chain attack against 3CX software and its customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.

The FBI has released a Public Service Announcement warning of the use of Business Email Compromise (BEC) tactics by criminal actors to acquire physical goods from the victim. Instead of impersonating requests for the transfer of money, these attacks spoof purchase orders requesting the distribution of goods to a false company. The goods that the report highlights include construction materials, agricultural supplies, computer technology hardware, and solar energy products. Additionally, some criminals abuse credit repayment to conduct this attack multiple times against a single business.

On Thursday, CISA and Sandia National Laboratories released a new tool - Untitled Goose - to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. Among other features, Untitled Goose allows for the querying and exporting of AAD, M365, and Azure configurations for investigations.