Cybercriminals set their sights on open source supply chains

Open source software supply chains are juicy targets for cybercriminals, who're taking advantage of the fact that many businesses aren't aware of what open source components they're using and where.


Cybercriminals are taking advantage of developer demand for open source software (OSS) by targeting open source supply chains.

Sonatype has reported a 430% surge in next gen cyberattacks of this kind, where strategic attacks compromise 'upstream' OSS projects so cybercriminals can subsequently exploit vulnerabilities as they flow 'downstream' into businesses' systems.  

Recent examples of next gen OSS supply chain attacks include Octopus Scanner and electron-native-notify, but what's behind this cybercriminal shift? 

"In short, it's simply more efficient for adversaries," explains Derek Weeks, VP and devops advocate at Sonatype. "Historically, what we'd refer to as 'downstream legacy attacks' took place after an open source project, or maintainer, disclosed a vulnerability publicly. Adversaries would race to find those vulnerabilities and exploit them before enterprises made their updates, but that was inefficient.

"Rather than wait for vulnerabilities to be discovered, wouldn't it be quicker for adversaries to create their own? That's what's happening with these next gen 'upstream attacks'. They're able to manufacture their own vulnerabilities by inserting malicious code into an unsuspecting OSS project. If it's downloaded 10,000 times a week, they potentially have 10,000 new suspects to prey upon."

Attacking an organisation is tricky; it will typically take longer and yield fewer results than targeting the software supply chain, points out Kevin Bocek, VP security strategy and threat intelligence at Venafi. "In the latter, attacks don't target the organisation itself, instead they focus on trusted software and services. When we consider how much software development replies on open source in today's IT environment, it's clear software supply chains offer attackers exponential opportunities," he notes.

To continue reading this article register now