Did GoTo Breach Hit Development?
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the first edition of Chainmail: Software Supply Chain Security News by ReversingLabs . Each week, Chainmail will bring you the latest software supply chain security headlines, curated by our team. In our inaugural issue, we're looking at the continued fallout from the breach of GoTo, a IT management firm that includes the LastPass password management service.
This Week’s Top Story
After GoTo breach: ‘unusual activity’ spotted in dev environment
The news keeps getting worse for GoTo, the IT management software provider that owns the LastPass password management service. GoTo's CEO revealed in a post on the company's website on Monday that a 2022 breach included the theft of encrypted backups from a third party cloud backup platform. The company said a subsequent investigation also detected 'unusual activity' in its development environment.
The post, by GoTo CEO Paddy Srinivasan, said that stored backups for a range of GoTo's products including Central, Pro, join.me, Hamachi, and RemotelyAnywhere were taken by the attackers. While those were encrypted, Srinivasan disclosed that encryption keys were also stolen for some of those backups. That leaves open the possibility that attackers may have been able to gain access to their contents, which included a range of sensitive information including GoTo account usernames, salted and hashed passwords, as well as Multi-Factor Authentication (MFA) settings and licensing information, he said.
In speaking of the subsequent investigation of the breach, which is being led by the security firm Mandiant, Srinivasan said that, based on the Mandiant investigation, GoTo has detected "unusual activity within our development environment" as well as in a third-party cloud storage service shared by both GoTo and LastPass. Sriniviasan did not elaborate on what kind of activity the investigation uncovered.
News Roundup
Here are some other software supply chain security stories we’re paying attention to.
Malicious actors may be using the VSCode marketplace for Microsoft Visual Studio extensions to launch malicious attacks, according to researchers at the firm Aqua Security. The warning follows a report by Aqua highlighting the ease with which malicious Visual Studio modules could be pushed to users using typo squatting attacks and other means. In less than 48 hours, the researchers were able to get more than a thousand installs of a decoy module imitating Prettier, a popular VSCode extension used to format code. (eSecurity Planet)
Yellowfin BI, a maker of enterprise analytics tools, has fixed three authentication bypass bugs stemming from the use of hardcoded keys. The flaws were discovered by security researchers from Assetnote and involved the exploitation of hard-coded keys used to encrypt and decrypt authentication related data on the platform. The flaws have the following identifiers: CVE-2022-47884, CVE-2022-47885, CVE-2022-47882. (Portswigger)
领英推荐
There was an uproar in September when the security firm Trellix revealed its research on CVE-2007-4559, a directory traversal vulnerability in a Python tarfile module that was first identified in 2007. At the time, Trellix estimated the flaw was still present in over 350,000 open-source projects as well as an unknown number of closed-source projects, including popular frameworks from Netflix, AWS, Intel, Facebook and Google - 15 years after it was discovered. Four months later, there’s progress. Trellix said it patched more than 61,000 vulnerable systems in coordination with the open source repository GitHub. That's around 17% of affected systems, so...hooray? (Information Week)?
Over at Sonatype’s blog, writer Brian Fox has an interesting series of posts that look at the evolving landscape of software vulnerabilities and software supply chain attacks. The series analyzes how firms manage supply chain risks (or don’t!) and the role software organizations have in addressing and mitigating risks associated with the software supply chain.?(Sonatype.com)
Software supply chain risk emerged as a leading concern for private sector firms and government agencies. There is even a legislative effort within the Senate Homeland Security and Governmental Affairs Committee to help secure open-source software. Unpacking this supply chain, and finding methods to estimate and reduce the risk, however, is a massive problem, starting with the fragmented and decentralized nature of software development, Sasha Romanosky argues in an opinion piece over at The Hill.?(The Hill)
After the trauma of the Log4j flaw, the Open Source Software Foundation (OpenSSF) set its sights on fixing security problems with the open software supply chain in 2022. That included joining forces with companies including Apache, Google, Apple, and AWS, and meeting at the White House with the U.S. government's executive branch. A year later, there’s a lot to show for those efforts, and more to be done, The New Stack reports.?(The New Stack)
SOOS, a Vermont-based software security startup said on Wednesday that it was releasing a free version of its software composition analysis (SCA) tool. The Community Edition of SOOS’s SCA tool can scan public GitHub repositories for vulnerabilities. It can also be used to identify upgrade paths for outdated dependencies, understand OSS license usage, and automatically create and maintain software bills of materials (SBOMs) at no cost, the company said. (SOOS.io)