The open-source software community, the foundation of modern technology, is facing a growing threat from social engineering attacks. The Open Source Security (OpenSSF) and OpenJS Foundations issued alerts for social engineering takeovers of open-source projects after unknown malicious actors tried to gain control of an OpenJS-hosted project.
The Attack
The OpenJS Foundation Cross Project Council, which hosts popular JavaScript projects used by billions of websites, recently received a series of emails requesting updates to one of its popular JavaScript projects for addressing critical vulnerabilities, with no specifics. The authors wanted OpenJS to designate them as new maintainers although none had privileged access to the project.
The good news, according to OpenSSF’s blog post, is that the OpenJS Foundation had effective security measures in place, which prevented unauthorized access to the project. The Foundation, demonstrating commendable proactiveness, reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security.
This approach resembles a recent incident involving the XZ Utils project, a popular data compression tool, where a malicious actor named Jia Tan infiltrated it by gaining the trust of its maintainer. The attack involved claims of expertise and malicious code insertion.
Soon after, a backdoor in xz/liblzma was discovered on the oss-security mailing list, affecting xz compression tools and libraries with versions 5.6.0 and 5.6.1. Fortunately, the compromise was discovered before widespread damage occurred.
A Wake-Up Call for Open Source Community
Open-source software can pose threats to any part of the supply chain, but the community’s due diligence and oversight can always ensure quick detection and resolution.
Open-source maintainers should be cautious against social engineering by implementing measures like Multi-Factor Authentication (MFA), granting contributors the right access, conducting rigorous code reviews, fostering a strong community, and being wary of unsolicited help. Limiting privileges can add additional security, while also being cautious of individuals offering “critical” updates or requesting access.
Open Source Tools = Lucrative Target
Over 30 million open-source projects are hosted on the GitHub platform, highlighting their widespread adoption by individuals and businesses. However, this vast number also makes these projects lucrative targets for cybercriminals.
For instance, a few months ago, a new hacker group called GambleForce was discovered exploiting open-source tools to compromise their targets successfully. This has encouraged initiatives such as bug bounty programs from Google and the EU (European Union) specifically for Open Source tools.
Experts Opinion
Chris Hughes – chief security advisor at open source security company, Endor Labs and Cyber Innovation Fellow at CISA, where he focuses on supply chain security – says these attack attempts are not surprising, but they do raise awareness of bigger OSS security issues.
“It is not surprising at all to hear about these increased social engineering takeover attempts and these will increase with the recent xz utilities example providing insight to malicious actors on how to conduct this attack, in fact we can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. ” Chris warned.