xz-style Attacks Continue to Target Open-Source Maintainers:
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently targeting the Linux xz data compression library, XZ Utils. Many believe the attempt to backdoor Linux's xz data compression library might not be an isolated incident. According to the OpenJS Foundation and Open Source Security Foundation (OpenSSF), there has been a series of suspicious emails that appear targeted at a popular unnamed JavaScript project that the OpenJS Foundation hosts.
The emails were sent from different names, all with GitHub-associated email addresses, and were constructed around the same theme. The suspected attackers were trying to get themselves added as project maintainers to "address any critical vulnerabilities" but didn't provide details on these vulnerabilities, which raises suspicion. This approach is similar to how the backdoor was introduced into XZ/liblzma, and as a result, it has been flagged as a potential security danger.
[...] This kind of attack is not new, yet it seems an effective way for attackers to infiltrate an open-source project. Therefore, it is critical to note that project maintainers must be extra vigilant and perform rigorous checks when adding contributors as maintainers. According to the article, this attack method utilizes social engineering techniques and exploits a sense of duty that maintainers feel toward their projects to infiltrate them.
The attack method exploits the maintainers' sense of social responsibility to deceive them. As such, promoting technical expertise and sharing knowledge about emerging threats and attack methods is imperative. Additionally, it is necessary to ensure that open-source projects are well-funded and their maintainers are adequately supported. This would serve as a significant deterrent against potential social engineering attacks.
As such, governments and other organizations must allocate resources to help secure the broader open-source ecosystem. Funding for security developers has already had a tremendous effect, for example, the security-focused Alpha-Omega project, which Microsoft, Amazon, and Google support. Germany's Sovereign Tech Fund aims to support foundations like OpenJS to strengthen infrastructure and security.
This attack is a clear example of how attackers can infiltrate open-source projects by exploiting users' trust to introduce backdoors. Consequently, we recommend coordinating efforts from different organizations and collaborating globally within the open-source ecosystem. In essence, this will help ensure that open-source developers are better equipped to identify such threats and mitigate them promptly. Therefore, more resources, a coordinated approach, knowledge sharing, and adequate funding are imperative in raising open-source security levels to protect our interconnected open-source projects and shared digital economies.
« Newly Sequenced Genome Reveals Coffee's Prehistoric Story, and its Future Under Climate Change | NASA Confirms Origin of Space Junk That Crashed Through Florida Home »
Related Stories
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy:
While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.
Yesterday, McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repositories for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg, and the STL library.
The URLs for the malware installers, shown below, clearly indicate that they belong to the Microsoft repo, but we could not find any reference to the files in the project's source code.
Finding it strange that a Microsoft repo would be distributing malware since February, BleepingComputer looked into it and found that the files are not part of vcpkg but were uploaded as part of a comment left on a commit or issue in the project.
[...] As the file's URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.
For example, a threat actor could upload a malware executable in NVIDIA's driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it's a new test version of the web browser.
Originally spotted on Schneier on Security.
Recently: xz-style Attacks Continue to Target Open-Source Maintainers
(Score: 4, Insightful) by Thexalon on Friday April 19, @11:40AM (7 children)
I don't mean that the software was bad, or that the trend towards more and more stuff relying on it was bad. But specifically the efforts of those who came up with terming it "Open Source" remains a problem.
"Open Source" aimed to be business-friendly. And what makes businesses happy is minimizing their costs. Which means minimizing how many people are working on each package. Which means that their ideal is less than 1 developer, ideally not paid by any business, working on maintaining most of the key stuff that we now rely on. This creates a single point of failure (1 hapless probably-unpaid developer who is probably trying desperately to recruit any kind of help they can get to keep their absolutely essential bit of software functioning) that can be easily exploited by a bad actor.
I don't know of an easy solution to this. Good job, 1 guy at Microsoft, for catching this particular problem. I know my employer has a team of people whose job is to vet open-source packages we're considering using, and I wouldn't be surprised if they catch and fix bugs all the time. Motivated individuals could move onto the projects that are approaching single-point-of-failure, but that risks becoming that single point of failure when the other guy working on it decides to quit because 1-2 decades of thankless work was enough for them.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Insightful) by pkrasimirov on Friday April 19, @01:00PM (6 children)
> "Open Source" aimed to be business-friendly.
Seems I missed these announcements. I believed open source, aka free-as-in-speech software, was aimed at allowing modifications without legal repercussions or the need of reverse engineering. IIRC it started when someone wanted to fix a printer bug and the manufacturer couldn't be bothered. So take-it-or-leave-it no-guarantee your-problem software. This was always aimed at the regular every day hacker, only making their life easier a bit. "Business" came much later, piggy-backing on free-as-in-beer goods turned merchandise. Even business with primary focus on developing software rarely contributes to open source unless it benefits them specifically.
(Score: 3, Informative) by r_a_trip on Friday April 19, @02:35PM (5 children)
No, it started with Free Software and it was Richard Stallman coining the term after fighting with that proprietary printer. Free Software is political and opinionated. That didn't sit well with the big corpos, so about 1.5 decades after Free Software was coined, they came up with the term Open Source to make it more palatable to big business.
(Score: 4, Informative) by canopic jug on Friday April 19, @02:46PM (2 children)
Open Source was also intended as a stepping stone from proprietary to actual Free Software. As a developmental model, it turned out passable, as we see yet again here with it being the way the Xz attack was caught. The same cannot be said about its intended role as a vehicle to software freedom. In that regard, partially from division exacerbated by the beast in Redmond, it turns out that Open Source has been an utter failure and it is time to move on to something else [soylentnews.org]. As for how that something else will look, that is still under discussion but the work is being spearheaded by none other than Bruce Perens, who helped draft the Open Source Definition [oreilly.com].
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by gnuman on Friday April 19, @07:22PM (1 child)
I just had this discussion at work.. Open Source is a term co-opted by OSI because they deemed "Free Software" was too much about Free-as-in-beer. So this is just a rename of Free Software as Open Software.
https://en.wikipedia.org/wiki/Open-source_software#Definitions [wikipedia.org]
Basically, we are talking about same thing. Especially since it's based on Debian Free Software Guidelines.
(Score: 2) by canopic jug on Saturday April 20, @03:02PM
So this is just a rename of Free Software as Open Software.
Yes, OSS was intended as the same thing as Software Freedom. Yet, despite being based on the Debian Free Software Guidelines, rather than enlightening people to the advantages of software freedom it became a means to avoid it and to strip mine the commons.
The Open Source Initiative (OSI) could have had a say in correcting that. However, it has not to recently become a GPL-infringers' club and has membership which is actively hostile to Copyleft in general. That includes m$. I'm not sure how to get them to clean house, since the OSI directors [opensource.org] there, despite having some good people, clearly lack the will to pursue the original intent of their organization and seem now more about pronouns and Codes of Censorship than object files and Codes of Software.
Money is not free speech. Elections should not be auctions.
(Score: 2) by hendrikboom on Friday April 19, @03:24PM (1 child)
And, as I remember it, the Open Source initiative defined "open Source" to mean that the purchaser of the software got a copy of the source code, but did not necessarily get any rights to redistribute it. This is a big difference between "open source" and the "four freedoms".
(Score: 0) by Anonymous Coward on Friday April 19, @06:28PM
You remember incorrectly. OSI came up with the Open Source Definition [opensource.org], which was directly adapted from the Debian Free Software Guidelines [debian.org], both of which say essentially the same things as the FSF's free software definition [gnu.org] except with many more words.
For the most part the people behind these various definitions accept all of the same licenses. There are some rare exceptions to this. One particular example is that the FSF does not accept the Sybase Open Watcom license as a free software license [gnu.org], but OSI did approve it as an open source license [opensource.org].
(Score: 4, Interesting) by gnuman on Friday April 19, @07:25PM (1 child)
This is inevitable since Free Software or Open Source Software is now mainstream for a long time. So the only way to get a backdoor is to infiltrate it. They can't just bribe or coerce a company to do it.
(Score: 0) by Anonymous Coward on Saturday April 20, @02:42AM
Oh I dunno. As a poor software maintainer I would've thought bribes would be an excellent way to get backdoors in. Pay me enough to retire and live a comfortable life, and I may be willing to trash my name for it, and ask no questions.
(Score: 0) by Anonymous Coward on Friday April 19, @07:41PM
I don't think this is in any way similar to how the backdoor was introduced into XZ/liblzma, because it is missing the most crucial element of the xz backdoor: time. "Jia Tan" spent literally years building up trust as co-maintainer (and "helping" out before that) before the trojan (the one that we know about, anyway) was added earlier this year.
No, this is just run of the mill criminals who saw what "Jia Tan" almost (we think) managed to pull off so now we have all the "Nigerian Princes" spamming everyone trying to get them to install obvious trojans, hoping some marks will bite.
(Score: 4, Insightful) by Mojibake Tengu on Saturday April 20, @12:09AM (3 children)
Continuous updates is absolutely imbecile method of managing software.
It makes everything totally inauditable, from software components up to whole systems and installations.
For security, you need rigid, immutable stuff you can rely on. Just like metal bars in a real world.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Interesting) by pkrasimirov on Saturday April 20, @06:41AM (1 child)
Whoever wants to get a cathedral must pay master builders to build it. Whoever scoops shineys from unregulated bazaar and use it as building blocks will end up with yet another ghetto shack. But it suffices for the needs because the projected lifespan is 3 years even in the accounting books. No cathedral with such a lifetime is worth to build so shacks are the norm. It's all about the pain job these days, Lavender and Mint vs. Space Black and Natural Titanium.
(Score: 3, Funny) by janrinok on Saturday April 20, @10:36AM
I think that is a spelling mistake - but somehow what you have actually written sounds appropriate too. :)
(Score: 2) by Beryllium Sphere (r) on Saturday April 20, @07:11PM
Continuous integration has its foundation in automatic tests, and only a few security bugs can be found in automatic tests.