Cybercriminals set their sights on open source supply chains

Open source software supply chains are juicy targets for cybercriminals, who're taking advantage of the fact that many businesses aren't aware of what open source components they're using and where.


Cybercriminals are taking advantage of developer demand for open source software (OSS) by targeting open source supply chains.

Sonatype has reported a 430% surge in next gen cyberattacks of this kind, where strategic attacks compromise 'upstream' OSS projects so cybercriminals can subsequently exploit vulnerabilities as they flow 'downstream' into businesses' systems.  

Recent examples of next gen OSS supply chain attacks include Octopus Scanner and electron-native-notify, but what's behind this cybercriminal shift? 

"In short, it's simply more efficient for adversaries," explains Derek Weeks, VP and devops advocate at Sonatype. "Historically, what we'd refer to as 'downstream legacy attacks' took place after an open source project, or maintainer, disclosed a vulnerability publicly. Adversaries would race to find those vulnerabilities and exploit them before enterprises made their updates, but that was inefficient.

"Rather than wait for vulnerabilities to be discovered, wouldn't it be quicker for adversaries to create their own? That's what's happening with these next gen 'upstream attacks'. They're able to manufacture their own vulnerabilities by inserting malicious code into an unsuspecting OSS project. If it's downloaded 10,000 times a week, they potentially have 10,000 new suspects to prey upon."

Attacking an organisation is tricky; it will typically take longer and yield fewer results than targeting the software supply chain, points out Kevin Bocek, VP security strategy and threat intelligence at Venafi. "In the latter, attacks don't target the organisation itself, instead they focus on trusted software and services. When we consider how much software development replies on open source in today's IT environment, it's clear software supply chains offer attackers exponential opportunities," he notes.

Where do the weaknesses lie?

Business supply chains are viewed as one of the weakest links in cybersecurity, as it's very difficult to control what security measures vendors or partners have taken.

The sheer amount of OSS used by businesses is also a specific issue, as Yana Blachman, threat intelligence specialist at Venafi highlights.

"Popular package manager repositories for software developers serve thousands, if not millions of software developers around the world, and the number is rising."

With OSS, adversaries are exploiting businesses' trust in the open source system, and the fact that too many organisations aren't fully aware of what's in their software.

OSS development is by nature 'open'; developed and modified by a community. Any code submitted for inclusion is of course reviewed, but if the contribution is large or complex, there's a chance that the review may be superficial. This creates a window of risk, and Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre (CyRC), believes this can be mitigated by better engagement with the open source community.

"It's this lack of community engagement and associated lack of awareness of how open source software is developed that represents the risk to businesses," he explains.

"If a business is using any open source software, and it's a rare one that isn't, then if they don't have controls to review all software in use within their business for latent open source risks, they have an incomplete software asset management process. After all, you can't possibly patch something you don't know you're using."

How businesses can protect themselves

So, what do businesses need to do to ensure their systems are secure? First and foremost, while bad actors are increasingly shifting their attention upstream, it's critical for enterprises to manage the software supply chain threats that remain prominent downstream. This is the first step in being able to protect themselves against these evolving attacks, says Weeks.

The next step is improving awareness and visibility. Organisations must understand what open source components they're using and where, and can do so by undertaking a comprehensive review of all software assets and procurement processes.

This includes all commercial software and embedded firmware says Mackey; anything freely downloaded from the internet including mobile apps, and any software used as building blocks within the software the business itself creates.

"While open source software is often thought of simply as source code, it's often embedded in commercial software, meaning open source awareness extends to understanding how well your vendors are managing their usage of open source.

"Once this inventory process has been completed, it becomes possible to map the usage to its role in business operations and a de-risking process can begin. High on that de-risking process is identifying patch processes for each identified component and then implementing a process to ensure that all software is continuously monitored for new patches and updates."

Weeks adds that every application should have a software bill of materials (SBOM) you can go to immediately when a new vulnerability is announced, to determine if you're using that now risky component.

Pick up the pace!

Then it's time to establish a "rapid upgrade posture", Weeks continues, so that businesses can find and fix vulnerable OSS dependencies in product applications quickly.

"The 'rapid' portion of this is critical – the window of exploitability is important to understand," he says. "Our 2020 survey revealed that only 17% of organisations become aware of a new open source vulnerability within a day of disclosure, with 35% finding out within a week. The remaining 48% become aware after this."

The threat from these next gen OSS supply chain cyberattacks has the potential to grow, particularly since OSS is becoming an integral part of many organisation's production environments and in light of greater adoption of open source cloud computing technologies.

Candid Wüest, VP of cyber protection research at Acronis, concludes by advising businesses to incorporate the risks from these attacks into their IT security planning process.

"Security testing needs to be an integral part of the process. With the increase of third-party dependencies, especially with cloud, web and browser applications, there's a huge opportunity for cybercriminals to expand their attacks – something they're guaranteed not to miss."