Open Source Maintainers Under Attack
There are folks who say that open source is safer than commercial software because, well, it is open source. Their theory is that since, technically, anyone can look at the source (ignoring the fact that you would need to be a trained programmer in whatever language that software is written in and have the time to spend reviewing tens of thousands of lines of code), it is inherently safer.
The reality is that most open source software projects are maintained, if at all, by a few volunteers who do it as a side job.
This last fact has not escaped the Chinese and they recently tried to take advantage of it to the detriment of the entire open source community.
Part One:
XZ utils is a data compression utility in nearly all Linux distributions. A hacker embedded a backdoor in the XZ library named liblzma. If this software had been successfully deployed then hackers who knew about it would have gained complete access to any affected system.
Interestingly, XZ Utils was considered a trusted and scrutinized project. In the end, it was scrutinized and that was the only thing that saved the Linux open source community.
XZ Util is a program to compress and decompress data in Linux and Unix systems. A Microsoft developer, Andres Freund, found the backdoor and pushed the panic button. Microsoft, as you probably know, is kind of the opposite of open source, but they actually are pretty open source friendly.
The backdoor has a CVSS score of 10 out of 10.
According to staff researcher Scott Caveza at security firm Tenable:
“Had this malicious code been introduced to stable OS releases in multiple Linux distributions, we could have seen in-the-wild exploitation en-masse,” says Scott Caveza, staff research engineer at Tenable. “The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be.”
https://www.darkreading.com/cyber-risk/xz-utils-backdoor-implanted-in-intricate-multi-year-supply-chain-attack
What happened is that over the last several years Jia Tan and a couple of other people gained the trust of the XZ community so that they could, eventually, commit changes to the code. They implemented small pieces of the eventual backdoor over multiple years until they added the last piece in February. That is when the Microsoft developer got concerned and discovered the thread of code that had been added over those years.
The community thought that Tan wanted to help. That is true. WHO he wanted to help was the Chinese government. Credit: Dark Reading
Part two.
Now, major open-source projects are warning that attempts to insert malicious code throughout the entire open-source ecosystem could be a major problem.
After all, hackers now have a roadmap for how to do that and it really is not that technically difficult.
It was just due to a bit of luck that the hackers in this case were caught.
The OpenJS Foundation, which promotes and hosts 35 critical JavaScript projects was targeted in a similar attack. OpenJS did not fall for the scam but they say that this particular attack was not the first one that they have repelled.
The only thing that is stopping this from becoming a total disaster for the open source community is that most hackers don’t have the patience to launch this type of attack.
The bad news is that the playbook is very simple and very public.
State sponsored actors DO have the patience to launch such an attack. Whether they are from China, Russia, Iran, North Korea or another adversary, they all have the patience to do this. Now that the roadmap is public, expect more of this.
While the MAJOR open source projects are now on high alert, the smaller open source projects are more challenged. Many of them have only one or two people who maintain the software and no one is looking at what gets promoted into production.
That means that you need to come up with a plan. If you need help with this, please contact us.
Credit: Data Breach Today