In an increasingly digital world, Open-Source Software (OSS) can now be found in almost every aspect of modern technology. Its impact is so widespread that relatively few organisations’ operating software systems will be untouched by its influence. Its ubiquitous adoption, however, comes with its own set of challenges, particularly relating to cybersecurity.
Take, for instance, Log4j, a popular logging utility used by many organisations for recording events such as status reports and errors. Its implementation into countless commercial products underlined the inherent vulnerabilities of some open-source technologies when its weak points were exposed, a situation which came to be known as ‘Log4shell’. This zero-day vulnerability allowed threat actors to compromise systems using malicious code and take control while remaining undetected. At the time, its impact was described as “enormous”.
This incident raised some important concerns, such as how organisations can truly understand and manage the software packages they rely on.
There are a range of risks to address. Firstly, there’s no doubt that OSS packages serve as invaluable tools for developers, saving countless development hours. Instead of building bespoke solutions, which might introduce their own vulnerabilities, developers leverage established OSS solutions. The potential problem here is that unsuspecting end users often remain in the dark about the risks associated with these open-source integrations, presenting significant risk vectors.
In addition, public OSS repositories, the primary sources from which developers pull these packages, are typically inundated with new third-party packages and frequent package updates on a daily basis. While these repositories offer the prospect of fast-tracked development, the sheer volume on offer makes security vetting a huge task. As a result, responsibility for sifting the wheat from the chaff predominantly falls upon security researchers and firms rather than being taken care of by a structured, mandated system.
Threat actors look to capitalise on these issues by manipulating legitimate packages with malicious insertions, which they then re-upload onto public repositories under similar names and wait for their victims to download them. Another method hackers use is to develop something new to upload to the sites, embedding secondary malicious code under the guise of useful open-source packages. Some of these cyber criminals have honed their approach to such an extent that they have created fake social media profiles, positioning themselves as credible developers to present a more convincing persona.
While numerous malicious security problems within OSS packages have been flagged because they predominantly cater to larger audiences, by the time these vulnerabilities surface, they are often too entrenched to be isolated.
Take the banking sector, for instance, whose well-established and predictable software landscape offers an enticing option for open-source-focused attackers. Here, hackers can almost predict the software that will be run by a bank and look to infect it with malicious code accordingly. Attackers can also be highly pragmatic in their approach and will assess the potential return of tactics which provide more in terms of efficiency and reliability than attacking a higher volume of random targets with more unpredictable infrastructures.
Looking further afield, however, no industry is invulnerable, not least because the development ecosystem is geared towards optimising the use of open-source technologies. Modern work environments in particular usually operate using a significant amount of ‘off the shelf’ software – many with some form of OSS package built in. Developers sharing packages throughout their community is not a new concept – it has been going on for decades – but the problem today is that external awareness of these ecosystems has increased so that attackers have turned their attention to how they can capitalise on the community trust that has been created over the long term.
Navigating the OSS Threat Landscape
To a large extent, protection from OSS attacks hinges on awareness and knowledge. Organisations must have an in-depth understanding of every piece of software they deploy. In this context, comprehensive documentation detailing OSS integrations can be invaluable, and if it’s not available, tools that analyse and identify packages within software can effectively bridge the gap.
In the case of the Log4j incident, the impact of the attack was exacerbated by widespread ignorance about the software integrations involved. To protect against such threats in the future, there’s also an urgent need for an accessible software directory that facilitates rapid vulnerability assessments. Looking ahead, while open-source software has proven itself to be immensely beneficial over a long period of time, it is not without its pitfalls. By definition, as OSS becomes ubiquitous, the vulnerabilities it can contain are likely to be magnified. In this context, greater levels of vigilance, knowledge and proactive measures represent the best defence in this evolving and crucial sector of the technology industry.
Attackers can compromise legitimate OSS packages and inject malicious code into them. This can then be distributed to unsuspecting users.