Survey: Federal Contractors Unaware Of Secure Software Attestation Deadline

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs.

This week: Many organizations will miss the deadline for CISA’s Secure Software Attestation Form. Also: The New York Times’ internal source code and data was stolen using an exposed GitHub token.?

This Week’s Top Story

Federal contractors run the risk of missing the deadline for?Secure Software Development Attestation

June 11, 2024 marked the deadline for software producers in critical infrastructure sectors to complete the mandated Secure Software Development Attestation Form. However, a study conducted by the software security firm Lineaje found that many contractors missed this deadline. The deadline comes on the heels of several colossal cybersecurity breaches tied to vulnerable software and supply chains. Those include the 2020 supply chain attack on the SolarWinds Orion software, the 2023 attack on VoIP provider 3CX, and more recent campaigns targeting government agencies and private firms using Microsoft software and services, as well as VPN devices sold by the firm Ivanti.?

The Secure Software Development Attestation Form form was created in response to the Office of Management and Budget’s M-22-18, published in September, 2022, which requires federal agencies to comply with NIST guidance on software supply chain security. The form is a mandate meant to ensure that federal government agencies are only using safe and secure third party software. The effort is being managed by the Cybersecurity and Infrastructure Security Agency (CISA), with the forms available in a PDF format and through an online portal.?

[Read: Self Attestation on Software Security: What Development Teams Need to Know]

Despite the accessibility of the forms, however, the vast majority of software producers have yet to fill them out, according to a survey conducted by the firm Linaeje’s of attendees at the RSA Security Conference in San Francisco in May. Linaeje's survey of more than 100 security professionals found that just 20% of companies impacted by CISA's Secure Software Development Attestation Form were prepared to meet the compliance deadline of June 11, 2024.

Explanations for the lack of industry compliance vary. Some companies lack the tools, budget, and resources required to implement the necessary steps that the form calls for. Another factor is that many contractors dealing with critical infrastructure may not have been aware of EO 14028 and the form. This “unaware” group made up 65% of Linaeje’s respondents. Meanwhile, of the minority of respondents that were aware of the form, only about half of those understood the form’s actual requirements.?

Security experts have expressed concerns with the attestation form not going far enough to vet secure software practices. For example, there is no mandate for companies to produce a software bill of materials (SBOM) for the software they sell to the government - a critical source of information that amounts to a software “ingredients list.” Also, the mandate contains language that can be left up to interpretation, including phrases such as “good faith effort” used to describe actions vendors should take to comply. Ultimately, this lack of clarity and specifics crafts a form that could miss major software supply chain security risks.??

The next measure of compliance will come in September. The Federal Government is asking that forms for non-critical infrastructure contractors be submitted to CISA by September 11, 2024.

For information on the form itself and its potential drawbacks for software supply chain security, read this RL blog post: How CISA’s secure software development attestation form falls short.

(Dark Reading, Business Wire)

This Week’s Headlines

New York Times’ source code stolen using exposed GitHub token?

On June 6th, users of 4chan, an online bulletin board, were greeted by the vast majority of the New York Times’ (NYT) source code, nearly 270GB, or in other words, 3.6 million files. The threat actor notes in a ‘readme’ file suggest that they leveraged an exposed GitHub token to steal the data. The NYT statement seems to confirm this attack vector: “The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform [GitHub] was inadvertently made available.” They stated that response measures were quickly taken and the breach did not disrupt the organization. The statement did not contain information on if consumers’ data could be at risk, nor how the token was ‘inadvertently made available.’ (Bleeping Computer)?

Netgear WNR614 flaws allow device takeover, no fix available

Netgear WNR614, a popular router among home users and small businesses, has six vulnerabilities ranging from authentication bypass to storing passwords in plain text, and Wi-Fi Protected Setup (WPS) PIN exposure (CVE-2024-36787, CVE-2024-36788, CVE-2024-36789, CVE-2024-36790, CVE-2024-36792, CVE-2024-36795). This specific Netgear device has reached end-of-life (EoL), meaning it is no longer supported by the company. Thus, the company is not required to patch these vulnerabilities, leaving users exposed. There are mitigations that can be taken, however, and users should take this as a sign to replace their device for a newer model that is more secure and will receive patches should vulnerabilities arise. End of life software has been at the root of a number of recent attacks, including nation-state campaigns linked to the Chinese APT Volt Typhoon that targeted SOHO routers. Check out our ConversingLabs Podcast conversation with Danny Adamitis of Lumen Technologies for more on that. (Bleeping Computer)

ComfyUI Users Targeted by Malicious Custom Node

Researchers working for VPNMentor said they discovered a malicious custom node on ComfyUI, a web app and Stable Diffusion interface. The malicious node, named ComfyUI_LLMVISION was posted to a subReddit and by the account u/AppleBotzz, and designed to steal sensitive data like passwords and credit card details, transmitting them to a Discord server. The code first came to light after another Reddit user, u/_roblaughter_ reported that they fell victim to the attack after installing the compromised node, receiving a wave of unauthorized login attempts on their personal accounts. According to VPNMentor, the malicious code was hidden within custom install files for OpenAI and Anthropic libraries, posing detection difficulties even for experienced users. The incident underscores the need for heightened vigilance in the AI community, especially with the rapid evolution and open-source nature of many tools. (VPNMentor.com)

NVIDIA and Arm urge customers to patch bugs

Both NVIDIA and Arm have announced that they have released patches for various vulnerabilities in their products. On Arm’s end – there was a zero-day vulnerability in its Mali GPU Kernel Driver (Bitforst and Valhall drivers specifically, from r34p0 to r40p0) that allowed for a local non-privileged user to leverage GPU memory processing operations to gain access to freed memory (CVE-2024-4610). The exploit is active and the manufacturer reported in-the-wild incidents. Arm is urging users to update the product as a result. NVIDIA also faced vulnerabilities within their GPU Display Driver and VGPU software products. The vulnerability, CVE-2024-0090, is the most serious due to its versatility, however, NVIDIA believes it unlikely to be leveraged remotely. It is still best to patch them, regardless. (InfoSecurity Magazine)

Lessons from the Ticketmaster-Snowflake Breach

Last week, Ticketmaster was added to the Snowflake breach victim list, with 1.3TB of data stolen, worth an estimated $500,000. An article from The Hacker News dives into the lessons that the cybersecurity industry can learn from this kind of multifaceted breach. One of these lessons is the importance of employers requiring the use of multi-factor authentication (MFA). Security teams are also urged to not overlook their non-human elements, such as robotic process automation (RPA), as they need to be protected and secured just as well as any other tool and system.? (The Hacker News)

Why SaaS security is suddenly hot: Racing to defend and comply

In lieu of an increase in cyberattacks via the software supply chain, the financial sector is tightening regulations on security measures. These new regulations focus on the entire CI/CD pipeline. The regulations impact the beginning of the process by focusing on Software-as-a-Service (SaaS), with third-party risk lifecycle management that begins with SaaS service discovery and third-party risk management (TPRM). It continues to the end of the CI/CD - and the onward life of the software -? requiring CISOs to report incidents in their supply chain within 72 hours.? A similar regulation is the NY-DFS, which includes compliance steps that cover SaaS supply chain discovery, risk management (TPRM), policy enforcement, configuration management, attack surface reduction, and risk detection and response. Other sectors are expected to follow in the footsteps of finance and its frameworks, since many do not yet have an adequate regulatory framework for SaaS security. (The Hacker News)

The cybersecurity gaps opened by engaging with supply chains

Significant vulnerabilities can arise from interactions with software supply chains. A study by SecurityScorecard revealed that 97% of large companies in the U.K. have experienced breaches in their third-party ecosystems, with 12% of companies experiencing a direct security breach over the past year. In addition, a recent Blackberry study revealed that 74% of software supply chains experienced cyberattacks over the last year, with 68% of businesses discovering unmonitored participants within their supply chains. Enterprises in the U.K. reported substantial impacts from these attacks, including financial loss (62%), data loss (59%), reputation damage (57%), and operational disruptions (55%). The findings suggest that supply chains introduce an additional layer of vulnerability to cybersecurity, indicating that when dealing with multiple vendors or your software is being produced by many developers – securing your own system is not sufficient enough to ensure safety for your organization. (Cyber Magazine)

Resource Roundup

Webinar I Managing Your Commercial Software Risks

Discover the hidden dangers lurking in commercial software and learn how to effectively identify and mitigate them in this webinar, happening live on June 25th from 1pm-2pm ET. It will delve into the shortcomings of current risk assessment methods and explore essential strategies for safeguarding your business against malware and other threats within your software supply chain. [Register Here]

White Paper I Assess & Manage Commercial Software Risk

In this white paper, learn how new regulations are targeting software supply chain security, why SBOMs and other solutions fall short of full coverage, how to identify risks before deployment, and how to ensure ongoing tracking and monitoring of commercial software. Know when your software is malware. [Download Now]

On Demand I 2024 DBIR & Software Supply Chain Risk: A Conversation With Verizon

ReversingLabs, a contributor to Verizon’s 2024 DBIR report, dug into key takeaways and insights with the report’s co-author Philippe Langlois. Discover the intricacies of data breaches tied to software supply chain weaknesses, how malicious actors eyeing sensitive data are shifting their tactics, and more. [Watch here]