Welcome to the April issue of the MergeBase newsletter, your gateway to the latest developments and insights in the world of cybersecurity.
First up, how confident are you in your organization’s ability to handle next-gen security threats?
Cisco’s latest study of more than 8,000 cybersecurity decision-makers found that most security teams are “overconfident,” placing their organization at risk.
In a month where AT&T had a critical breach impacting 73 million customers (hot on the tail of their March breach affecting 9 million), and a massive Linux attack was only narrowly avoided thanks to an off-duty Microsoft worker, they might be on to something.
In our ongoing commitment to fortifying applications throughout the entire software development lifecycle, we’re thrilled to announce support for two new languages.
This latest development makes MergeBase the first complete software supply chain solution with Dart support, so we’d love your feedback on how we can continue strengthening our support moving forward.
What language do you want to see added next? Let us know!
Skip to:
1. Industry headlines
2. Top vulnerabilities
Industry Headlines
US government data exposed after Space-Eyes data breach
Miami-based geospatial intelligence firm Space-Eyes, which caters exclusively to US government agencies, was the victim of a security breach by Serbian hacker IntelGroup.
The breach stands to expose US national security data, including information from the Department of Justice, the Department of Homeland Security, and branches of the US Armed Forces.
Learn more about this latest attack here.
Google agrees to destroy billions of data records, settling a $5 billion class action lawsuit over “incognito” tracking
The Californian tech giant has been accused of tracking users’ browsing habits in private mode, sparking concerns about online privacy.
The lawsuit, initiated in 2020, was settled this month, with Google agreeing to destroy billions of data records. Under the terms of the agreement, Google will not pay damages (although individuals can pursue compensation) and has pledged to enhance disclosure policies. In a huge step forward for user privacy, Google will also permit users in incognito mode to block third-party cookies (but only for the next five years).
Read more about this story here.
Top Vulnerabilities
Palo Alto announces critical vulnerability affecting the GlobalProtect feature of their PAN-OS software
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. This vulnerability does not impact cloud NGFW, Panorama appliances, and Prisma Access.
- Identifier: CVE-2024-3400
- Risk score: 10 out of 10
SAP users warned of increased interest from threat actors targeting poorly patched organizations
Conversations on SAP vulnerabilities and exploits have increased 490% from 2021 to 2023, with the price from RCE attacks jumping 400%.
Threat intelligence from Onapsis Research Labs and Flashpoint Threat Intelligence Platform has found that multiple, unpatched application-level SAP vulnerabilities are being exploited and used in ransomware campaigns.
Exploited vulnerabilities include:
- CVE-2010-5326
- CVE-2016-2386
- CVE-2020-6207
- CVE-2020-6287
- CVE-2021-38163
- CVE-2021-33690
- CVE-2022-22536
- CVE-2022-6287
- CVE-2022-6207
You can read more about the latest threat and security guidance here.
Cisco releases patches for two privilege escalation vulnerabilities in its Integrated Management Controller (IMC)
Cisco releases patches for flaws that could allow authenticated attacks to execute commands as root on the underlying operating system. (One already has a publicly available proof-of-concept exploit code.)
The identified vulnerabilities are
You can read more about this story here.
Don’t miss your chance to win a copy of “Software Supply Chain Security”
To celebrate the release of our interview with Cassie Crossley, we’re giving away a free copy of her latest book “Software Supply Chain Security.”
Run a scan in MergeBase before 11:59 p.m. PST on April 30th to be automatically entered into the draw. The competition is open to new and existing customers and free trial users.
New to MergeBase? Sign up for a free trial here
Ready to prioritize your software supply chain security in 2024?
Our technical team are ready to answer your software supply chain security questions and help you find the right solution for your organization.
