The incident occurred on April 20 and did not affect customer data in the company’s production and staging environments.
The post SailPoint Discloses GitHub Repository Hack appeared first on SecurityWeek.
RansomHouse has published several screenshots to demonstrate access to internal Trellix services.
The post Ransomware Group Takes Credit for Trellix Hack appeared first on SecurityWeek.
The cybersecurity firm’s investigation has not found any impact on its source code release or distribution process.
The post Trellix Source Code Repository Breached appeared first on SecurityWeek.
Attackers associated with Russia’s Main Intelligence Directorate (GRU) have targeted Western-based critical infrastructure with a special focus on the energy sector as part of an ongoing campaign dating back to 2021, Amazon Threat Intelligence said in a report Monday.
The threat group simplified operations earlier this year by shifting away from vulnerability exploitation to focus on misconfigured network edge devices hosted on Amazon Web Services as the primary initial access vector, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post.
Researchers said malicious infrastructure used by the attackers overlaps with operations linked to Sandworm, also known as APT44 and Seashell Blizzard, a detail that gives them confidence the activity is associated with Russia’s GRU.
Amazon did not say how many attacks it’s attributed to the campaign, nor how the pace of activity has changed since the first wave of attacks occurred in 2021. The company said it has notified customers affected by the intrusions, remediated compromised EC2 instances and shared intelligence with partners and affected vendors to aid further investigations.
The Russia state-sponsored threat group has continued to target multiple Western-based organizations in the energy sector including electric utilities, energy providers and managed security service providers specializing in the industry, according to Amazon.
Researchers said the threat group has also targeted collaboration platforms, source code repositories, organizations with cloud-based network infrastructure, critical infrastructure providers in North America and Europe, and telecom providers across multiple regions.
Attacks typically begin with a compromised customer network edge device hosted on AWS, followed by attempts to capture data traversing the network in a bid to steal credentials and reuse those credentials against victim organizations’ other services and infrastructure to maintain access, according to Amazon.
Moses insists the compromise of network edge devices hosted on AWS is not due to a weakness in its infrastructure, but rather improper device setup from customers. Attackers associated with Russia’s GRU have targeted enterprise routers and routing infrastructure, virtual private networks for large organizations, remote-access gateways and network-management appliances.
The campaign initially relied on vulnerability exploitation from 2021 to 2024, including CVE-2022-26318 affecting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence and CVE-2023-27532 affecting Veeam, researchers said.
Yet, targeting shifted to misconfigured network edge devices this year, which allowed attackers to achieve the same strategic goals at a lower cost.
“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses said in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”
Sandworm is one of the most notorious state-sponsored threat groups of the past decade. The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.
The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.
Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
“I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.
“People are imagining a future where there are no open-source dependencies or there are no reused dependencies, and therefore there’s nothing to put in an SBOM because every piece of the code is bespoke,” Brian Fox, the co-founder and CTO of Sonatype, told CyberScoop. “I think that’s kind of insane.”
Developed under an executive order issued under President Joe Biden, the National Telecommunications and Information Administration (NTIA) released the US government’s first official software SBOM document, The Minimum Elements For a Software Bill of Materials (SBOM), in July 2021. That foundational effort was subsequently transferred to the Cybersecurity and Infrastructure Security Agency (CISA).
According to Allan Friedman, who is widely considered the “father” of SBOM and spearheaded that document’s creation, Biden’s order was also clearly intended for SBOMs to be mandated for federal government suppliers under the FAR [Federal Acquisition Regulation], which could have created a transparency floor for all software providers looking to sell into the federal government.
However, neither the National Institute of Standards and Technology (NIST) nor the Office of Management and Budget (OMB) fully spelled out what that requirement would look like, and the hoped-for FAR requirement ended up merely as part of a required software attestation form, according to Friedman, who is now a senior technical adviser at the Institute for Security and Technology (IST).
Two recent developments at CISA have fostered hopes for more widespread and robust SBOMs. On Aug. 22, the agency opened a public comment period for an SBOM guide that aims to update the NTIA document to reflect evolving SBOM practices.
On Sept. 3, CISA, in collaboration with NSA and 19 international partners, released joint guidance outlining the “growing international consensus” for what an SBOM should look like. Participants called the guidance “a significant step forward in strengthening software supply chain transparency and security worldwide.”
As promising as some may find these developments, some experts believe they represent the last vestiges of the Biden administration’s work. Former CISA employee Josh Corman, now an executive in residence for public safety and resilience at IST, told CyberScoop that the minimum elements update and the international framework were actions akin to “the body continuing to move without its head just because of prior commitments to the [Biden] White House.”
While SBOM work has stalled under the Trump administration, other experts believe there is more is to come from CISA. “[CISA official] Nick Andersen and [CISA director nominee] Sean Plankey are both supporters of these initiatives,” NetRise co-founder and CEO Tom Pace told CyberScoop. He added, “I know that directly. I also know that we have multiple contracts with the federal civilian agencies, including CISA, that are moving forward for SBOM.”
CISA insists that it has not slowed its work on SBOM—its efforts have increased.
“We are actively involved in several SBOM-related initiatives, including the G7 Cybersecurity Working Group’s Software Bill of Materials for Artificial Intelligence and the review of nearly 100 public comments on our draft SBOM Minimum Elements,” CISA Director of Public Affairs Marci McCarthy told CyberScoop in a statement. “The recently released Shared Vision of SBOM highlights and reinforces our operational collaboration in action with both international and domestic partners to advance the use of SBOMs.”
Aside from CISA’s actions, other developments at the federal level promise to further advance SBOM. The Consolidated Appropriations Act of 2023 amended the Food, Drug, and Cosmetic Act to mandate SBOMs as part of premarket submissions for healthcare devices at the FDA. In 2023, the Pentagon issued guidance that contains recommendations for SBOM management as part of the military’s supply chain risk management strategy.
On the international level, the EU parliament adopted the Cyber Resilience Act (CRA) in March 2024, which will require all manufacturers and distributors of digital products to share a top-level SBOM with market surveillance authorities as part of the technical documentation provided. The legislation calls for these requirements to take effect in December 2027.
Even with these advancements, most software providers still don’t provide SBOMs, and most organizations don’t demand them from their suppliers. Black Duck’s latest annual analysis found that 86% of commercial codebases contain open-source vulnerabilities, with 81% carrying high- or critical-risk flaws. Meanwhile, 95% of websites continue running outdated software with known issues.
“Surveys are showing that only 30% of people are doing anything about this,” Sonatype’s Fox said. “And that’s largely because it’s optional.”
Corman thinks most organizations find transparency “existentially terrifying.”
“They have license risks where they’re violating terms and conditions of open-source licenses that can be exposed in lawsuits, and they’re not prone to out themselves voluntarily,” he said.
Along the same lines, Steve Springett, chair of the CycloneDX Core Working Group and board vice chair of the OWASP Foundation, told CyberScoop that many organizations fear the legal ramifications of disclosing flaws in their software. “The legal departments in a lot of organizations really don’t want them to unnecessarily disclose more information than what is required for normal business activities.”
Nilesh Jain, co-founder and CEO of cybersecurity startup CleanStart, told CyberScoop, “Most companies that we interact with are still trying to figure out the best way to start generating SBOMs. Some of the largest enterprises and banks and financing institutions still don’t use it.”
Cyber vulnerability expert Art Manion points to the so-called “naming problem,” where there are so many versions of software out there that span multiple years, which are tracked using numerous forms of syntax, that it becomes overwhelming to account for this multiplicity in an SBOM framework.
“Fundamentally, we really are still blocked by not uniformly calling software the same things,” Manion told CyberScoop. “No single source can spend enough time or money or be fast enough to collect and name all the software and keep track of it.”
Friedman, however, thinks this naming problem can be solved “with a little bit of intelligence on the pattern-matching side of things. Instead of trying to build a tool that matches exact string to exact string, we can do some fuzzy matching with a little bit of data science,” he said.
While progress on SBOM is slow, there is a simultaneous surge in the adoption and hype cycle of AI-based coding assistants. Some experts believe these tools will reduce or even eliminate software vulnerabilities.
“I’ve created code myself where I’ve instructed my AI coding assistant to go build me some software and not use any software dependencies whatsoever,” Knostic’s Yu told CyberScoop, suggesting that avoiding dependencies can also help prevent vulnerabilities found in those libraries from being included in new software. “You can reference the entirety of open source as a template for what to build, but do not actually use any open-source libraries.”
CycloneDX’s Springett agrees with Yu. “It can be done,” he told CyberScoop. “It’s just not being done today, but it can be done. I’ve seen it being done. In the short term, AI is going to propel the number of first-party vulnerabilities that we create. But in the longer term, AI will be a good peer code reviewer and code author, and will always be on the lookout for insecure code and suggest safer alternatives to developers.”
Opinions on whether AI can create vulnerability-free systems are sharply divided. “It’s absolutely not possible,” Manion said. “I have seen no evidence that AI is going to write secure software.”
“That’s basically saying everything we’ve learned in software engineering over the last 60-plus years is just tossed out the window, and none of those things matter,” Sonatype’s Fox said. “If you want to recreate the wheel and make all the same mistakes, good luck, man.”
“I don’t think it’s possible,” Biswajit De, co-founder and CTO of CleanStart, told CyberScoop. “It is physically impossible to give everything in your prompts to create vulnerability-free code.”
Friedman is skeptical as well.
“I have a hard time imagining any tool that is trained in the JavaScript or the node package management system, which is heavily reliant on thousands of dependencies, just then turning around and saying, ‘Well, we can write code without dependencies,’ or if they are writing code, it will use those dependencies in practice,” he told CyberScoop.
He added, “AI-generated code will get better. Anyone who looks at what is being produced today will say, ‘Oh, that’s impressive.’ But large code bases tend to get unwieldy very quickly. You can use AI to try to find and detect vulnerabilities as you write them, but people do that today. There’s nothing magic about AI compared to today’s tools or the future tools.”
The post The slow rise of SBOMs meets the rapid advance of AI appeared first on CyberScoop.
Researchers aren’t very concerned about the dozens of undisclosed F5 vulnerabilities a nation-state attacker stole during a prolonged attack on F5’s internal systems. Yet, the heist of sensitive intelligence from a widely used vendor’s internal network resembles previous espionage-driven attacks that could pose long-term consequences downstream.
F5, which became aware of the attack Aug. 9 and disclosed Oct. 15, said “a highly sophisticated nation-state threat actor” stole segments of BIG-IP source code and details on 44 vulnerabilities the company was addressing internally at the time.
F5 maintains it’s not aware of any undisclosed or remote code vulnerabilities, nor is it aware of active exploitation of any vulnerabilities accessed during the attack.
“I don’t want to jinx myself here, but I’m not terribly concerned about any of these as is,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop. “We may see exploitation of one of the medium vulnerabilities, for instance, in a chain or from an adversary who got credentials or access some other way, but I’m not super concerned about mass exploitation of any of these, especially remotely.”
Himaja Motheram, security researcher at Censys, agrees with that assessment, adding that none of the undisclosed vulnerabilities accessed during the attack are critical, necessitating an immediate emergency response.
The researchers noted that most of the F5 defects, especially those marked as high-severity, are denial-of-service vulnerabilities. More broadly, the majority of the vulnerabilities affect protocols, which are not easy to reach without internal system access.
Flashpoint analysts identified four vulnerabilities with CVSS ratings of 8.5 as the most potentially impactful, including CVE-2025-59483, CVE-2025-61958, CVE-2025-59481 and CVE-2025-59868. All four of the defects require authentication, so an attacker would need an existing foothold to achieve exploitation.
External risk assessments would benefit from additional information, including details about potential proof-of-concept exploit code or methods that could allow attackers to evade detection, particularly if that information was also stolen from F5’s systems, Condon said.
F5 said indicators of compromise and a general threat hunting guide prepared by CrowdStrike are available to customers upon request.
Nearly a month after F5 first reported the attack, fallout appears to be contained but concerns linger, in part, because of the significant role the vendor plays across enterprise and government.
“In general, F5 systems are business critical — they do get targeted by attackers, and F5 hasn’t had a major critical vulnerability that got hit really hard in a while,” Condon said. “They do a good job of keeping up with vulnerabilities” and maintain a “very robust vulnerability disclosure and response program.”
Customers and defenders might be relatively unconcerned about the undisclosed vulnerabilities the nation-state attacker nabbed, but theft of BIG-IP source code could create substantially more serious problems.
The source code theft is most concerning because attackers can comb through it to identify or develop zero-day exploits, Motheram said.
“This aspect of the breach is a longer term and more significant supply chain risk that we might only understand the consequences of further down the line,” she added. “Proactively securing the most publicly discoverable assets will be important.”
Authorities described the attack’s potential impact in similar terms, framing it as part of a broader campaign targeting key elements of technology supply chains. Cyber espionage attacks on vendors extend the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at Cybersecurity and Infrastructure Security Agency, said during a media briefing last month.
Nation-state attackers primarily seek to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack, or gather sensitive information, Andersen said.
Threat groups can weaponize source code in many ways, but at a high level it also helps them understand how a particular piece of software is built and how it works, according to Condon.
“This wasn’t a smash-and-grab type attack. I don’t think we necessarily know what their motivation is in doing that, but certainly having access to the source code would help them develop attacks better,” Condon added.
F5 said it’s continuing to work with NCC Group and IOActive to investigate potential misuse of the stolen BIG-IP source code, but insists it hasn’t found anything of concern thus far.
“We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines,” Christopher Burger, chief information security officer at F5, said in a blog post.
Persistent, deep-rooted attacks on vendors’ systems are a long play with consequences often lasting years. This makes it a challenge to know what customers should worry about, and requires some imagination to fully grasp the repercussions.
“At this stage we don’t know how the F5 breach will pan out or stack up to prior incidents,” Motheram said. “It’s not paranoid to anticipate that the stolen code will be leveraged in some sort of strategic exploitation that we must proactively monitor for.”
The post What’s left to worry (and not worry) about in the F5 breach aftermath appeared first on CyberScoop.
Login