How open source software is being weaponised

Jing Xie, senior threat intelligence researcher at Venafi, explains why the weaponisation of Open Source Software Libraries (OSSLs) is a rapidly growing threat to businesses.

In the technology world, open source software plays a powerful role. Released under a license that allows users to tweak and distribute applications for any purpose, it promotes open collaboration among technologists and offers a range of advantages.

For starters, adopting open source can provide access to high-quality software that doesn't cost a penny. And users are often surrounded by a community of like-minded users who can support and improve the application. However, there are also advantages when it comes to transparency, flexibility, interoperability and localisation.

Arguably, open source software holds a prized place in the technology ecosystem. But that's not to say there aren't risks, with hackers weaponising open source software libraries (OSSLs) through OSSL trust attacks that target the software supply chain. According to Sonatype, these threats increased by 55% last year.

In one notable example, EventStream - a JavaSciript library used by two million people globally - was infected by malicious code that steals bitcoins from wallets. This software was used by a plethora of Fortune 500 companies and startups. Just how dangerous are such attacks and how can they be mitigated?

A sophisticated threat

Attackers are constantly developing more sophisticated ways to compromise organisations, and it's fair to say OSSl trust attacks are one of them. Jing Xie, senior threat intelligence researcher at Venafi, says their defining characteristic is that the organisation that actually gets breached isn't the intended target.

"Instead, the OSSL host is essentially a Trojan horse, a vehicle that's completely trusted by the open source community that's capable of spreading malware," she tells IDG Connect. "The real danger comes from this trust element. Organisations rely on OSSLs to build their products - 96 percent of applications use open source components to varying degrees. These organisations consider the open source code they find to be completely safe, yet there's every chance the code is more dangerous than they realise."

To date, open source software libraries have been viewed as trustworthy and secure. This is something that cyber criminals are using to their advantage. Xie continues: "If an attacker can modify the code in an OSSL to insert their own malicious code, it can then be picked up and used by the trusting OSSL community, who blindly insert this code into products. This code is then passed down the supply chain to the end user."

The end result, according to Xie, is that organisations could introduce harmful products to their environment without even realising it. "Since OSSLs are relied on so widely, developers tend to trust them without question, having been trained on the assumption that OSSLs are safe. The malicious code is therefore left unchecked, meaning that in effect, the end user is hacking itself," she says.

Breaking down the risk

How does reputable open source software that is used by millions become a real ranger? Xie believes that OSSLs are a soft target for attackers since there's rarely any process in place to protect them. "There is no single moderator, no proper identification or trust verification in place. OSSLs are kept in check by the user community, which shares responsibility for the quality of code," she explains.

"Yet this community is often more concerned with whether the code works well, or whether it's useful - little attention gets paid to whether it's compromised. In one case, ownership of an OSSL popular with Fortune 500 developers was handed over to an anonymous stranger, simply because the stranger asked for it. It's no surprise that attackers will take advantage in these circumstances."

This weaponisation is constantly growing, with attackers realising that OSSLs are an easy win. "One open source security firm recorded a rise of more than 50 percent in 2018 alone," says Xie. As for real world examples, EventStream demonstrates the detrimental impact of these attacks. She continues: "This OSSL was used by firms of all sizes, from small start-ups right through to industry giants with trustworthy reputations. Yet as mentioned above, it wasn't subject to any type of security procedure, and ownership over it was simply handed over without question."

It seems there's a great deal of value for attackers. "For attackers, this method offers them the chance to keep their distance while still achieving the same results as a direct attack. It can also help them to bypass strong defences, as the code is brought in by the company's own developers," says Xie.

"Since these attacks rely on the fact that companies blindly trust OSSLs, attackers simply use OSSLs as a vehicle for distributing malicious code further downstream. In a sense, attackers are just laying the groundwork before sitting back while organisations effectively hack themselves."

Mitigating OSSL attacks

With OSSL attacks clearly a growing threat for organisations, the concern then becomes mitigating them. Xie says: "The reality is that there's no silver bullet in this case. We can't expect organisations to use only their own custom code for everything they develop. Plus, it's not realistic to apply stringent security procedures to OSSLs given that responsibility for them goes across a community of users."

But there is one solution that could help to address rogue OSSLs: code sharing. "This is an effective software security control that ensures the authenticity of the publisher, and the integrity of the software package," adds Xie. "Every major operating system uses an in-built validation system that tells end-users that the software is secure and trustworthy. While the code-signing system isn't fool proof, it's an indication that software is more likely to be trustworthy."

Xie expects these attacks to keep growing in volume and complexity over the coming years. She concludes: "The security community is only just beginning to realise the scale of the vulnerabilities that OSSLs present, and it may take time before we see any meaningful action. As long as this issue goes under the mainstream radar, attackers will look to exploit it. After all, OSSL trust attacks are a method where the victims are essentially hacking themselves; we can expect this method to remain popular for some time."