The Latest Software Security Intel (March 2024)

Newsletter March 2024 | MergeBase

Welcome to the March issue of the MergeBase newsletter, your gateway to the latest developments and insights in the world of cybersecurity.

This month, we’re giving you the lowdown on our upcoming interview with Cassie Crossley about her new book, Software Supply Chain Security.

We’ll also look at government hacks, Microsoft vulnerabilities, and the latest updates on the MergeBase blog.

Skip to:

1. Industry headlines
2. Top vulnerabilities
3. New on the blog

Coming Soon — Software Supply Chain Risk & Mitigation: Bob Lyle in Conversation with Cassie Crossley

Cassie Crossley interview

Join Cassie Crossley, VP of Supply Chain Security at Schneider Electric, and Bob Lyle Deputy Chair of the Device Security Group (DSG) of the GSMA and CRO of Riscosity, as they discuss topics from her latest book “Software Supply Chain Security” including

  • Safeguarding physical and digital infrastructure
  • The importance of data classification and security training
  • The argument for and against making SBOMs publicly available
  • What the future holds for SBOM usage

Get your copy of Cassie’s book here

Want to have your say in future video topics?

If you have an idea for a future video or expert interview, we want to hear it! Please leave your suggestions here.

Industry Headlines

Threat actors are using unpatched vulnerabilities in OpenFire collaboration servers and Oracle Web Application Desktop Integrator to target government departments and companies worldwide.

It’s thought that the group responsible has been installing previously unseen backdoors through spear phishing emails as part of a new campaign. Once they’ve successfully compromised a government IT infrastructure, the attackers host malicious payloads and send phishing emails to other government-related targets, taking advantage of the trust recipients would give a government sender.

Learn more about this latest attack here.

US State Governors warned about targeted attacks on water and sewage systems

This month, the US federal government warned State Governors nationwide about foreign hackers targeting water and sewage systems.

EPA Administrator Michael Regan and National Security Advisor Jake Sullivan stated that in many cases, “even basic cybersecurity precautions” are not in place at water facilities, which “can mean the difference between business as usual and a disruptive cyberattack.”

Read more about this story here.

Top Vulnerabilities

Microsoft releases patches for 61 vulnerabilities, including two critical vulnerabilities affecting Windows Hyper-V

Microsoft’s March 2024 Patch Tuesday included patches for two critical CVEs found in Windows Hyper-V.

  • CVE-2024-21407, which has a CVSS score of 8.1 out of 10
  • CVE-2024-21408, which has a CVSS score of 5.5 out of 10

ShadowsSyndicate ransomware gang looks for vulnerable versions of the aiohttp open-source framework (CVE-2024-23334)

Developers and IT administrators should ensure they’re using the latest version of the aiohttp open-source Python framework to prevent threat actors from using older, vulnerable versions as an entryway for network compromise.

You can read more about the latest threat here.

New on the blog

Understanding Social Engineering and Insider Threats in Java Security

Learn how to recognize and protect against social engineering and insider threats affecting Java security

How SBOMs Contribute to Effective Software Supply Chain Risk Management

Discover the role SBOMs play in effective software supply chain risk management.

Upcoming Conferences

MergeBase is a proud sponsor of the upcoming DevSummitIL on April 4th.

We’ve teamed up with ESL (Engineering Software Lab) to present our cutting-edge Java security expertise and showcase how MergeBase’s solutions can enhance the security of your software supply chain.

Are you attending the conference? Swing by the booth to meet the team and enter our exclusive giveaway for a chance to win a complimentary six-month subscription to MergeBase

Ready to prioritize your software supply chain security in 2024? 

Our technical team are ready to answer your software supply chain security questions and help you find the right solution for your organization.