OpenJS Foundation targeted in potential JavaScript project takeover attempt
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .
This week: The OpenJS Foundation was targeted in a potential JavaScript project takeover attack. Also: The U.S. Supreme Court’s latest ruling suggests changes to the cybersecurity disclosure process.?
This Week’s Top Story
OpenJS Foundation targeted in potential JavaScript project takeover attempt
The OpenJS Foundation, a prominent open-source organization, has been targeted in a "credible" takeover attempt that bears similarities to the recent incident involving the XZ Utils project . According to the joint alert from the OpenJS Foundation and the Open Source Security Foundation (OpenSSF), the OpenJS Foundation Cross Project Council received a series of suspicious emails urging them to update one of their popular JavaScript projects to address critical vulnerabilities. The email authors also requested to be designated as new maintainers of the project, despite having little prior involvement. Two other popular JavaScript projects also reported experiencing similar activity, but were not affiliated with OpenJS.?
Despite these requests, OpenJS did not grant privileged access to any of these individuals, so no data was compromised. This incident mirrors the approach used to target the sole maintainer of XZ Utils, where fictitious personas were created in a social engineering and pressure campaign to make the threat actor Jia Tan a co-maintainer. Despite this, the true identities of the JavaScript projects involved were not revealed. Notably, Jia Tan's lack of digital presence beyond contributions suggests the account was created solely to gain credibility within the open-source community over time, with the ultimate aim of introducing a stealthy backdoor into XZ Utils.
There's concern that this OpenJS incident may not be an isolated event, and that? a broader campaign is afoot to compromise open-source project security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the vulnerability of the open-source ecosystem, particularly in regards to maintainer burnout. The agency is stressing that technology manufacturers take responsibility for supporting maintainers and advocating for periodic source code audits and Secure by Design principles. Such social engineering attacks exploit maintainers' sense of duty, urging vigilance against interactions that induce self-doubt or inadequacy. (The Hacker News )
This Week’s Headlines
U.S. Supreme Court ruling suggests change in cybersecurity disclosure process
A ruling by the U.S. Supreme Court in the case of Macquarie Infrastructure vs. Moab Partners may give enterprises more flexibility in whether or not to report cybersecurity incidents that are not considered "material" under the U.S. Securities and Exchange Commission’s (SEC) rules. However, the Court did caution in their ruling that companies must carefully consider these unreported items when crafting their SEC disclosures, as failing to do so and making the reported information misleading or out-of-context could result in serious consequences for the company. While nominally a victory for corporations that are pushing back against new SEC cyber incident disclosure rules, the SCOTUS decision puts CISOs and security leaders on notice that they must be vigilant in public statements about cybersecurity and ensure that such statements are accurate, even if they are not required to report every non-material threat. (CSO )
Understanding CISA’s proposed cyber incident reporting rules
CISA's proposed cyber incident reporting rules under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) aim to create a centralized cyber incident reporting mechanism within the federal government to strengthen U.S. cybersecurity. The new reporting requirements will add to the existing cybersecurity reporting obligations for many organizations, but CISA is committed to minimizing duplication with other reporting requirements. CISA proposes defining a "covered cyber incident" as an occurrence that jeopardizes the integrity, confidentiality, or availability of information on an information system without lawful authority. CIRCIA mandates that entities report covered cyber incidents to CISA within 72 hours, and ransom payments made to cybercriminals within 24 hours. (CSO )
Widely-Used PuTTY SSH client found vulnerable to key recovery attack
Researchers discovered that PuTTY Secure Shell (SSH) and Telnet client versions 0.68 through 0.80 have a critical vulnerability, identified as CVE-2024-31497 , that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. This flaw, discovered by researchers at Ruhr University Bochum, enables attackers with only a small number of signed messages and access to the public key to gather sufficient data to retrieve it. Subsequently, they could forge counterfeit signatures that appear as if they were from the firm, granting them unauthorized access to servers authenticated with that key. Yet, to acquire the signatures, threat actors must compromise the specific server associated with the key used for authentication. (The Hacker News )
领英推荐
Ivanti warns of critical flaws in its Avalanche MDM solution
Ivanti has released security updates to address 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, including two critical heap overflow vulnerabilities that can be exploited for remote command execution (RCE). The two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, were found in the WLInfoRailService and WLAvalancheService components of Avalanche. These vulnerabilities allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems in low-complexity attacks that do not require user interaction. In addition to the two critical flaws, Ivanti also patched 25 medium and high-severity bugs that remote attackers could exploit to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks, and read sensitive information from memory. Ivanti has urged customers to download the latest Avalanche 6.4.3 release to address these vulnerabilities, as they affect older versions of the software. (Bleeping Computer )
Delinea fixes flaw, but only after analyst goes public with disclosure first
Delinea, a privileged access management provider, has disclosed and fixed a critical flaw in its Secret Server SOAP API. The vulnerability was first publicly disclosed by researcher Johnny Yu, who claims he had been trying to contact Delinea for weeks to responsibly disclose the flaw, but was told he was ineligible to open a case since he was not affiliated with a paying customer/organization. After Yu's public disclosure, Delinea quickly rolled out an automatic fix for cloud deployments and a download for on-premises Secret Servers. However, Delinea's silence on the issue leaves open questions about who can submit bugs to private companies, under what circumstances they are able to submit, and whether there will be any process changes made to the way Delinea and other companies may manage disclosures in the future. (Dark Reading )
CISA, DHS S&T and OpenSSF announce global launch of software supply chain open source project
CISA, the Department of Homeland Security’s (DHS) Science and Technology Directorate (S&T), and the OpenSSF have announced the launch of Protobom, a new open source software supply chain tool. Protobom empowers organizations, system administrators, and software development communities to read, create, and convert Software Bills of Materials (SBOMs) and associated data, as well as bridge the gap between various SBOM formats. This free resource? will hopefully become an essential component in fortifying software security and software supply chain risk management. (GlobeNewswire )
Resource Roundup
April 23 | Webinar | Breaking Down NIST CSF 2.0
Join our panel of experts — including NIST’s Nakia Grayson, for insights into the key takeaways and changes in CSF 2.0. *Attend live for CPE credit. [Save Your Seat ]
April 24 I ConversingLabs Podcast I Is Cybersecurity Ready for the Solar Winds Prosecution?
In this episode, host Paul F. Roberts will chat with Tarah M. Wheeler , CEO of Red Queen Dynamics, about her recent Council on Foreign Relations piece regarding what the U.S. SEC’s prosecution of SolarWinds and new disclosure rules mean for the cybersecurity industry at-large. [Save Your Seat for the Live Event ]
April 26 | Finance & Risk Cybersecurity Summit I Verify Trust in Commercial Software
RL’s Director of Product Management, Charlie Jones , will be speaking at the Finance & Risk Cybersecurity Summit. In his session, he will outline key actions that enterprises can take to gain visibility and control over commercial software to secure their supply chains. [Use Code CSS24-REVERSINGLABS for Free Admission ]?
On Demand I Unraveling XZ: A Software Supply Chain Under Siege
With the recent discovery of the XZ Trojan, enterprises are facing up to the heightened risks of malicious infiltration of their software supply chains. Watch RL software security experts as they shed light on the technical intricacies of the XZ supply chain compromise and its ramifications for software producers and enterprises. [Watch Here ]