Open source software is everywhere, and rightly so: It’s free, easy to use and increases efficiency for multiple business applications. But its widespread use is also seeing open source software increasingly targeted by cyber attacks.
The 2014, the Heartbleed vulnerability was a critical flaw in OpenSSL, an open source software suite that encrypts traffic on the internet. During the same year, researchers discovered another scary bug dubbed Shellshock, which let attackers execute commands via a flaw in the Unix shell Bash to gain access to services including web servers.
In the devastating Equifax breach of 2017, attackers took advantage of an unpatched falw in open source Apache Struts to steal data including social security numbers. More recently, Log4j demonstrated how ubiquitous open source software was – and how dangerous it can be when compromised.
Existential tensions put open source on path to crisis point
Recent research shows exactly how adversaries are targeting open source software in cyber assaults. Last month, security firm Checkmarx detailed open source software attacks targeting the banking sector and predicted the “persistent trend” will continue.
Open source software attacks – which target the software business applications rely on – are a growing risk organizations firms in all sectors should be aware of. So why are they such a problem and what can businesses do to avoid them?
What are the major open source attack methods?
Open source software attacks are essentially a supply chain compromise, says David Emm, principal security researcher at security outfit Kaspersky. The risks of open source software are so vast because its very nature “inherently encourages collaboration to modify and distribute it”, Emm warns. This, of course, opens up opportunities for adversaries to exploit.
“Open source software attacks take place when hackers exploit vulnerabilities in open source code to plant a hidden threat,” Emm explains. It can leave the products using these packages compromised and vulnerable to manipulation, including supply chain attacks.
One open source software attack method involves copying legitimate packages available in libraries and inserting malicious code into them. “Attackers then re-upload these contaminated software packages onto public repositories under similar names and wait for unsuspecting victims to download them,” says Andy Swift, cyber security assurance technical director at Six Degrees.
This is made worse by the fact libraries can be found “everywhere”, says Bernard Montel, EMEA technical director and security strategist at Tenable. “They are sometimes used in commercial solutions,” he adds.
Aviad Gerhson, security researcher and team leader at security company Checkmarx describes how the firm discovered several campaigns targeting open source software. “Our team uncovered around 200 malicious NPM packages with thousands of installations linked to an attack group called LofyGang.”
Another example is RED-LILI, which created a "factory" automating the process of creating dependency confusion attacks targeting the software supply chain, Gerhson explains.
Emm describes how, in 2022, Kaspersky spotted malicious Python packages distributed through the popular Python Package Index (PyPI) repository with the intention of stealing developers’ personal data and credentials. “In this case, the attackers used a description of the legitimate requests package to trick victims into installing a malicious one.“
Who is most at risk from open source attacks?
All sectors are at risk, but as Checkmarx’s report shows, banking is increasingly becoming a target of attacks due to its “substantial dependence” on open source software. This is compounded by the fact the industry handles “highly sensitive and valuable data”, says Wilfrid Blanc, technical strategist at cyber security consultancy Hackuity. “As digital transformation in the sector continues to progress, banks are exposed to a larger attack surface, making them attractive targets for cyber criminals.”
Learn about the five key stages of risk management maturity and get guidance on how you can move from one stage to the next.
Adding to this is the complex nature of banking systems, which can see multiple open source components working in conjunction. This can create security gaps if not properly managed, Blanc explains.
Aside from the financial sector, experts say attacks can affect any industry that relies on or incorporates open source components, but healthcare, retail, government, and technology are the most exposed. “Like banking, these sectors heavily depend on open source software for various functions, and they handle vast amounts of sensitive data,” Blanc says.
How can organiztions avoid and mitigate open source attacks?
The risk is real, so how can firms prevent and mitigate open source software attacks? First and foremost, it’s important to know the software you use “inside and out”, Swift says. Protection is largely down to awareness, he says. “One of the main reasons the Log4j attack was so difficult to manage was because organizations struggled to identify if their software was even using this component – with some taking months to realize they were at risk.”
Ideally, developers should be using documentation detailing the open source software packages being used in the business, he adds.
Matt Lewis, commercial research director at consultancy NCC Group concurs, adding that open source software projects should “undergo rigorous code reviews” before new contributions are accepted to ensure no malicious code has been added.
Developers should follow secure coding practices to reduce the chance of introducing vulnerabilities, he says. “Software developers should only download from trusted sources – ideally the project's official site or a well-known package repository to help avoid malicious modifications. Regular security testing including penetration testing and security scanning will also help to identify vulnerabilities in systems.”
In addition, businesses should keep track of known vulnerabilities in the open source components they use, Lewis advises. Resources such as the National Vulnerability Database can help with this.
Lewis also advises establishing a Software Bill of Materials (SBOM) to help manage supply chain vulnerabilities. “Organizations should regularly update and patch to close off known vulnerabilities in open source software,” he adds.
Attackers are always going to follow the money, so businesses must adopt proactive measures and defense mechanisms to stay one step ahead, says Emm. “A lack of awareness of security best practices can make businesses susceptible to attacks, including those involving open source software.”
It’s important not to lose sight of the fact that human error remains a “significant factor” in successful attacks, Emm warns. “Educating employees and customers about the risks and best practices to mitigate attacks is key.”
