All news with #supply chain compromise tag

🔒 ZipLine is a highly sophisticated social-engineering phishing campaign identified by Check Point Research that reverses the typical attack flow by initiating contact through corporate “Contact Us” forms. Attackers cultivate multi-week, professional email exchanges and often request NDAs before delivering a malicious ZIP containing the in-memory backdoor MixShell. MixShell maintains covert command-and-control via DNS tunneling with HTTP fallback and executes in memory to reduce forensic traces. The campaign primarily targets U.S. manufacturing and supply-chain–critical organizations and has evolved a second wave that uses an AI transformation pretext to increase legitimacy.

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.

🔒 ESET researchers disclosed a previously unknown WinRAR zero-day, CVE-2025-8088, actively exploited by the Russia-aligned group RomCom. The flaw is a path-traversal vulnerability that leverages NTFS alternate data streams (ADS) to conceal malicious files in RAR archives, which are silently deployed on extraction. Observed payloads included a Mythic agent, a SnipBot variant, and RustyClaw (MeltingClaw), targeting organizations in finance, manufacturing, defense and logistics. Users and vendors relying on WinRAR, UnRAR.dll or its source must update to the July 30, 2025 patched release immediately.

🔓 Level One Robotics left 157 GB of sensitive customer, employee, and corporate files accessible via an unrestricted rsync server, exposing CAD drawings, factory layouts, robotic configurations, NDAs, identity documents, and banking records for over 100 manufacturing clients. UpGuard discovered the exposure on July 1, 2018 and began outreach on July 5; after contact on July 9, Level One remediated the server by July 10. The incident underscores third- and fourth-party supply-chain risk and the need to restrict file-transfer services by IP and authentication, enforce vendor security standards, and maintain rapid exposure-response procedures.

🔒 The UpGuard Cyber Risk team found an open rsync server owned by Level One Robotics that exposed 157 GB of files for more than 100 manufacturing customers, including major automakers. Exposed materials included factory CAD schematics, robotic configurations, NDA texts, VPN and badge request forms, employee ID scans, and corporate financial records. After notification, Level One closed the exposure promptly.