Information

Tens of thousands of Android devices have been shipped to end-users with backdoored firmware, according to a warning from cybersecurity vendor Human Security. As part of the global cybercriminal operation called BadBox (PDF), Human Security found a threat actor relied on supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with the Triada malware. The infected devices come from at least one Chinese manufacturer but, before…

Software development giant GitHub on Wednesday announced an enhancement to its secret scanning feature, now allowing users to check the validity of exposed credentials for major cloud services. Generally available since March 2023, the secret scanning feature is meant to help organizations and developers identify potentially exposed secrets in their repositories and take immediate action. Backed by a large number of service providers in the GitHub Partner Program, the feature sends alerts to developers when…

Server and computer hardware giant Supermicro has released updates to address multiple vulnerabilities in Baseboard Management Controllers (BMC) IPMI firmware. The issues (tracked as CVE-2023-40284 to CVE-2023-40290) could allow remote attackers to gain root access to the BMC system, firmware supply chain security firm Binarly, which identified the bugs, explains. A special chip on server motherboards that support remote management, the BMC allows administrators to monitor various hardware variables and even update the UEFI system…

A series of critical vulnerabilities impacting a tool called TorchServe could allow threat actors to take complete control of servers that are part of the artificial intelligence (AI) infrastructure of some of the world’s largest companies. The flaws were discovered by Oligo, a company that specializes in runtime application security and observability, which disclosed its findings on Tuesday. The firm named the attack ShellTorch. TorchServe is an open source package in PyTorch, a machine learning…

Sensitive Department of Homeland Security (DHS) information might have been compromised in a recent ransomware attack aimed at government contractor Johnson Controls International. A multinational giant headquartered in Cork, Ireland, Johnson Controls produces industrial control systems and smart building equipment, software, and services, including HVAC, security, fire protection, and support solutions. The company serves clients in the education, government, healthcare, hospitality, naval, and transportation sectors, including the DoD, DHS, and other government agencies in the…