Return to the list of client alerts
NOTE: While this issue is based on open source software, it highlights the overall software supply chain issue. The issue has gotten so risky that the government has issued alerts and the Department of Defense has created an entire program to deal with it.
As I have said before, hackers have figured out that open source software is no more secure than commercial software and even if people have the ability, technically, to review open source code, almost no one has the time or skill to do that. In fact, users have additional responsibility when it comes to using open source software because there is no “vendor” to blame.
That doesn’t mean that you should not use open source software, it just means that you need to understand and either accept or mitigate the risk.
In this case, Vesta is a control panel for web site owners and may be provided by your ISP as part of your web hosting package.
Hackers apparently infiltrated the Vesta infrastructure (I don’t completely understand how this works; traditional open source software doesn’t have a company and therefore doesn’t have infrastructure, but in this case there is both with at least one server) and inserted a tiny bit of code that captured every admin password and IP address along with doing other damage such as launching Denial of Service attacks on other web sites.
The attack started in May of this year and continued until October – about six months – and was discovered because of the high bandwidth use of the Denial of Service attack component of the software.
Vesta did announce that there is a new uninfected version available on their forum, but whether the average user understands that it is their problem to look for patches is less clear.
There is software that can help users discover public vulnerabilities (CVEs) in open software packages and patch them, but many companies do not run such software.
Two takeaways –
So what should you do?
All companies need to create a vendor cyber risk management program to help manage the risk associated with vendor provided software. Note that for open source software, there often is to “vendor”, so the responsibility is totally your responsibility.
For companies that develop software, you need to implement a secure software development lifecycle (SSDL) program to make sure that software that you incorporate into your solution (like Vesta) is secure and that you can track the components and update them when needed.
For companies that integrate software, you probably need to do a combination of both.
Sorry, no easy answers.
Information for this post came from HackRead.