The latest software security intel (October 2023)

Newsletter October 2023 | MergeBase

Welcome to the October edition of the MergeBase newsletter, your gateway to the latest developments and insights in the realm of cybersecurity.

In this issue, we delve into the critical developments that have shaped the cybersecurity world over the past month. From the latest regulatory actions to practical guides on enhancing your security posture, we’ve curated content that is both insightful and actionable.

How to get your SCA tool implemented


SCA is a low-cost tool; now, how do you make implementation a top priority across the organization? Get Software Composition Analysis done! Listen to these tips from Oscar, Kelly, Inge, and Farshad and discover the steps to successful SCA implementation.

Industry Updates

SEC Charges SolarWinds and Chief Information Security Officer with Fraud

The U.S. Securities and Exchange Commission (SEC) has just announced charges against SolarWinds Corporation for fraud and internal control failures related to cybersecurity risks and vulnerabilities, spotlighting the critical need for robust cybersecurity measures and transparent disclosure practices.

What Happened? Allegations suggest that from October 2018 to December 2020, SolarWinds and its executives misled investors by misrepresenting the company’s cybersecurity defenses and downplaying known risks, including those related to the extensive “SUNBURST” cyberattack.

This decision emphasized the importance of companies implementing strong security controls and being transparent with investors and clients about cybersecurity issues.

Biden issues executive order on AI safety and security

Artificial Intelligence (AI) has become a cornerstone of modern innovation, influencing sectors from healthcare to national defense. Recognizing the profound impact of AI, President Biden has issued an executive order to ensure the safety and security of AI technologies. The executive order serves as a blueprint for integrating AI into national cybersecurity strategies.

Lazarus hackers breached dev repeatedly to deploy SIGNBT malware

The North Korean-affiliated Lazarus group has demonstrated a frightening level of persistence by repeatedly breaching a software vendor using vulnerabilities in the company’s software, despite patches being issued. This persistence suggests a focus on stealing valuable source code or tampering with the software supply chain. SIGNBT malware, alongside LPEClient, was deployed, showing Lazarus’s broad scope across regions and industries and emphasizing the need for organizations to patch software vulnerabilities promptly.

Cryptojackers steal AWS credentials from GitHub in 5 minutes

Cybersecurity experts from Palo Alto Networks’s Unit 42 have exposed “EleKtra-Leak,” a cryptojacking attack targeting GitHub to siphon AWS credentials and launch Monero mining on Amazon EC2 instances. Despite GitHub and AWS’s defenses, the attackers rapidly execute their scheme, revealing a gap in CI/CD security practices.

Apache ActiveMQ and the Vulnerability Exploit

A critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, has been targeted by ransomware criminals. The flaw allows for remote code execution, and despite the release of fixes, many services remained unpatched, leaving them open to attacks. The ransomware attributed to these attacks was deemed “clumsy,” indicating a potentially low-skill individual or group behind the attempts​.

Tips & Guides

How to Find & Fix Known Vulnerabilities in Your Java Apps w/MergeBase

Learn the ins and outs of navigating vulnerabilities in open-source libraries and discover how MergeBase’s software composition analysis tool can be your ally in quickly identifying, prioritizing, and patching potential security risks. Don’t let vulnerabilities hold you back. Dive into our comprehensive guide and start fortifying your Java applications today.

How Mature is Your DevSecOps?

Take our complimentary DevSecOps Maturity Assessment to gain valuable insights into your current approaches, identify areas needing improvement, and emphasize the importance of advancing your DevSecOps maturity. Begin your assessment.

Ready for amazing customer service?

Our technical team is here to answer any software supply chain security questions you may have and find the right solution for you.