The 2020 SolarWinds hack served as an alarming wake-up call about the threat of the software supply chain, spurring rapid shifts in how organizations secure third-party applications. And yet, two years later, open source repositories remain ripe for exploitation.
Part of the issue is the sheer volume of open source code powering the modern internet, with 98% of applications using them, according to a report from Synopsys. Dan Lorenc, CEO and co-founder of Chainguard, likened it to an iceberg — where a little bit of the internet is floating above the water, while the rest “is the massive amount of open source beneath.”
But further enticing cybercriminals is the open source development model itself: the collaborative approach, defined by sharing and reuse of code. Sonatype found an average 700% jump in attacks against open source projected over the last three years, while the cybersecurity community learned firsthand about the implications of open source vulnerabilities when a flaw in log4j, the popular Java logging package distributed under the Apache software license, was exploited.
"As someone who has spent their entire career in open source software, the Log4j scramble is a humbling reminder of just how far we still have to go," Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF) noted in a blog post when the attacks first emerged.
Why open source remains vulnerable
Ilkka Turunen, field chief technology officer at Sonatype, told SC Media that open source repositories are popular because they are easy to execute and can generate high potential yield.
"To conduct attacks, cybercriminals simply need to register an account and publish malicious packages. And if they are unregistered, there is no verification in some open-source ecosystems for ownership," said Turunen.
Typosquatting and dependency confusion are two most common forms of open-source attacks, according to Turunen. In typosquatting attacks, attackers will create a package with a name only slightly different from a popular package, preying on developers to make innocent typos when searching for popular components. Dependency confusion is a variant of typosquatting — attackers will create a compromised version of a package with the latest version number to public repositories that do not have namespace identity regulation, like npmjs. In this case, some pipeline build tools will automatically adopt the newer malicious version.
Zornstain's team also found in a Russian underground forum last year that a hacker was selling a development npm account, which he or she claimed to have more than seven million installations every week, to other criminals.
"We are now seeing this account takeover become trending within the open-source community," Zornstain said.
"We are trying to close the easiest attack vectors to prevent malware from infecting a popular piece of open source," Justin Hutchings, director of product management at GitHub, told SC Media.
But just as security enhancements evolve, so do sophistication of attack methods of cybercriminals. Resecurity researchers recently identified a new phishing-as-a-service called EvilProxy which promises to steal authentication tokens to bypass multi-factor authentication (MFA) on many platforms, including GitHub.
“EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication — proxying the victim's session,” Resecurity researchers noted in a blog post. “Previously, such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online services and MFA authorization mechanisms.”
How to address open source security gaps
From a technical perspective, Zornstain encouraged the industry to share information, including findings of malicious packages, package samples, full metadata, in a central repository.
"It is OK to delete malicious packages if people find them, but I hope they can save copies for researchers so that we can learn from those vulnerabilities," said Zornstain.
Deborah Bryant, policy director at Open Source Initiative, noted that addressing software supply chain attacks should be a collaborative effort among academia, private industries, non-profit organizations, and government.
Promising efforts for such collaboration are emerging. The Senate Homeland Security Committee recently approved bipartisan legislation fostering open-source software security, just a week after its introduction by committee head Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, on Sept. 21.
Also, in response to the Log4j vulnerability revealed in late November 2021, the Securing Open Source Software Act will direct the Cybersecurity and Infrastructure Security Agency (CISA) to establish a risk framework on the federal government’s open-source code and hire professionals with expertise in the open-source community.
But some do worry that reverting focus to open source, particularly by way of regulatory standards, misses the point — that efforts to address software supply chain risks should be viewed holistically. OpenSSF noted such concerns in a blog post that also credited Congress for taking steps to address software supply chain issues.
"Open-source software did not fail, as some have suggested, and it would be misguided to suggest that the Log4j vulnerability is evidence of a unique flaw or increased risk with open-source software," said Brad Arkin, Cisco's senior vice president and chief security and trust officer, during testimony to Congress about Log4J earlier this year. "The truth is that all software contains vulnerabilities due to inherent flaws of human judgment in designing, integrating, and writing software."