Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Open Source. Show all posts
Open Source
Brute-force attack Credential stealing Data Breach data security Data Theft Golang Malicious Bots Open Source

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram

 

Researchers have uncovered a malicious Go package disguised as an SSH brute-force tool that secretly collects and transmits stolen credentials to an attacker-controlled Telegram bot. The package, named golang-random-ip-ssh-bruteforce, first appeared on June 24, 2022, and was linked to a developer under the alias IllDieAnyway. Although the GitHub profile tied to this account has since been removed, the package is still accessible through Go’s official registry, raising concerns about supply chain security risks for developers who might unknowingly use it. 

The module is designed to scan random IPv4 addresses in search of SSH services operating on TCP port 22. Once it detects a running service, it attempts brute-force login using only two usernames, “root” and “admin,” combined with a list of weak and commonly used passwords. These include phrases such as “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.” If login succeeds, the malware immediately exfiltrates the target server’s IP address, username, and password through Telegram’s API to a bot called @sshZXC_bot, which forwards the stolen information to a user identified as @io_ping. Since Telegram communications are encrypted via HTTPS, the credential theft blends into ordinary web traffic, making detection much more difficult. 

The design of the tool helps it remain stealthy while maximizing efficiency. To bypass host identity checks, the module disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as its callback. It continuously generates IPv4 addresses while attempting concurrent logins in an endless loop, increasing the chances of finding vulnerable servers. Interestingly, once it captures valid credentials for the first time, the malware terminates itself. This tactic minimizes its exposure, helping it avoid detection by defenders monitoring for sustained brute-force activity. 

Archival evidence suggests that the creator of this package has been active in the underground hacking community for years. Records link the developer to the release of multiple offensive tools, including an IP port scanner, an Instagram parser, and Selica-C2, a PHP-based botnet for command-and-control operations. Associated videos show tutorials on exploiting Telegram bots and launching SMS bomber attacks on Russian platforms. Analysts believe the attacker is likely of Russian origin, based on the language, platforms, and content of their activity. 

Security researchers warn that this Trojanized Go module represents a clear supply chain risk. Developers who unknowingly integrate it into their projects could unintentionally expose sensitive credentials to attackers, since the exfiltration traffic is hidden within legitimate encrypted HTTPS connections. This case underscores the growing threat of malicious open-source packages being planted in widely used ecosystems, where unsuspecting developers become conduits for large-scale credential theft.
Read more »
Vulnerabilities and Exploits
API security GitHub Open Source User Privacy Vulnerabilities and Exploits

Open-source Autoswagger Exposes API Authorisation Flaws

 

Autoswagger is a free, open-source tool designed to scan OpenAPI-documented APIs for broken authorization vulnerabilities. These vulnerabilities remain common, even among organizations with strong security postures, and pose a significant risk as they can be exploited easily. 

Key features and approach

API Schema Detection: Begins with a list of organization domains and scans for OpenAPI/Swagger documentation across various formats and locations. 

Endpoint Enumeration: Parses the discovered API specs to automatically generate a comprehensive list of endpoints along with their required parameters. 

Authorization Testing: Sends requests to endpoints using valid parameters and flags those that return successful responses instead of the expected HTTP 401/403, highlighting potential improper or missing access control. 

Advanced Scanning: With the --brute flag, the tool can simulate bypassing validation checks, helping to identify endpoints vulnerable to specific data-format-based validation logic. 

Sensitive Data Exposure: Reviews successful responses for exposure of sensitive data—such as PII, credentials, or internal records. Endpoints returning such data without proper authentication are included in the output report. 

Security Insights

Publicly exposing API documentation expands the attack surface. Unless essential for business, it is advised not to reveal API docs. Regular API security scanning should be performed after every development iteration to mitigate risks.

Autoswagger is freely available on GitHub, making it an accessible resource for security teams looking to automate API authorization testing and harden their defenses against common vulnerabilities.
Read more »
Shadow AI
AI Deepfakes AI threats Cyber Security cybercriminals Cybersecurity measures IABs Open Source Ransomwares Shadow AI

Emerging Cybersecurity Threats in 2025: Shadow AI, Deepfakes, and Open-Source Risks

 

Cybersecurity continues to be a growing concern as organizations worldwide face an increasing number of sophisticated attacks. In early 2024, businesses encountered an alarming 1,308 cyberattacks per week—a sharp 28% rise from the previous year. This surge highlights the rapid evolution of cyber threats and the pressing need for stronger security strategies. As technology advances, cybercriminals are leveraging artificial intelligence, exploiting open-source vulnerabilities, and using advanced deception techniques to bypass security measures. 

One of the biggest cybersecurity risks in 2025 is ransomware, which remains a persistent and highly disruptive threat. Attackers use this method to encrypt critical data, demanding payment for its release. Many cybercriminals now employ double extortion tactics, where they not only lock an organization’s files but also threaten to leak sensitive information if their demands are not met. These attacks can cripple businesses, leading to financial losses and reputational damage. The growing sophistication of ransomware groups makes it imperative for companies to enhance their defensive measures, implement regular backups, and invest in proactive threat detection systems. 

Another significant concern is the rise of Initial Access Brokers (IABs), cybercriminals who specialize in selling stolen credentials to hackers. By gaining unauthorized access to corporate systems, these brokers enable large-scale cyberattacks, making it easier for threat actors to infiltrate networks. This trend has made stolen login credentials a valuable commodity on the dark web, increasing the risk of data breaches and financial fraud. Organizations must prioritize multi-factor authentication and continuous monitoring to mitigate these risks. 

A new and rapidly growing cybersecurity challenge is the use of unauthorized artificial intelligence tools, often referred to as Shadow AI. Employees frequently adopt AI-driven applications without proper security oversight, leading to potential data leaks and vulnerabilities. In some cases, AI-powered bots have unintentionally exposed sensitive financial information due to default settings that lack robust security measures. 

As AI becomes more integrated into workplaces, businesses must establish clear policies to regulate its use and ensure proper safeguards are in place. Deepfake technology has also emerged as a major cybersecurity threat. Cybercriminals are using AI-generated deepfake videos and audio recordings to impersonate high-ranking officials and deceive employees into transferring funds or sharing confidential data. 

A recent incident involved a Hong Kong-based company losing $25 million after an employee fell victim to a deepfake video call that convincingly mimicked their CFO. This alarming development underscores the need for advanced fraud detection systems and enhanced verification protocols to prevent such scams. Open-source software vulnerabilities are another critical concern. Many businesses and government institutions rely on open-source platforms, but these systems are increasingly being targeted by attackers. Cybercriminals have infiltrated open-source projects, gaining the trust of developers before injecting malicious code. 

A notable case involved a widely used Linux tool where a contributor inserted a backdoor after gradually establishing credibility within the project. If not for a vigilant security expert, the backdoor could have remained undetected, potentially compromising millions of systems. This incident highlights the importance of stricter security audits and increased funding for open-source security initiatives. 

To address these emerging threats, organizations and governments must take proactive measures. Strengthening regulatory frameworks, investing in AI-driven threat detection, and enhancing collaboration between cybersecurity experts and policymakers will be crucial in mitigating risks. The cybersecurity landscape is evolving at an unprecedented pace, and without a proactive approach, businesses and individuals alike will remain vulnerable to increasingly sophisticated attacks.
Read more »
Supply Chain
Archive Cyber Security Open Source PyPI Supply Chain

PyPI's New Archival Feature Addresses a Major Security Flaw

 

The Python Package Index (PyPI) has informed users that no modifications are expected with the launch of "Project Archival," a new method that enables publishers to archive their projects. To assist users in making informed decisions regarding their dependencies, users will still be able to download the projects from PyPI, but they will be alerted of the maintenance status. 

The new tool aims to strengthen supply-chain security, as hacking developer accounts and sending malicious updates to widely used but abandoned projects is a typical occurrence in the open-source community. In addition to minimising user risk, it lowers support requests by guaranteeing clear communication of the project's lifecycle state. 

Project archiving modus operandi 

According to a detailed blog post by TrailofBits, the developer of PyPI's new project archival system, the feature includes a maintainer-controlled status that enables project owners to declare their projects as archived, informing users that there will be no more updates, patches, or maintenance. 

Although it is not mandatory, PyPI advises maintainers to publish a final version prior to project archiving in order to provide information and justifications for the decision. If the maintainers decide to pick up where they left off, they can unarchive their project whenever they like. 

Under the hood, the new system employs a LifecycleStatus model, which was initially designed for project quarantine and includes a state machine that allows for modifications between different states. 

When the project owner selects the 'Archive Project' option on the PyPI settings page, the platform automatically updates the metadata to reflect the new state. According to TrailofBits, there are plans to add other project statuses such as 'deprecated,' 'feature-complete,' and 'unmaintained,' giving users a better understanding of the project's status. 

The purpose of the warning banner is to alert developers to the need of identifying actively maintained alternative dependencies rather than sticking with out-of-date and potentially insecure projects. In addition, cybercriminals frequently target abandoned packages, taking over unmaintained projects and injecting malicious code via an update that may arrive many years after the last one. 

When deciding to halt work, maintainers sometimes decide to delete their projects, which might result in situations like "Revival Hijack" attacks. From a security standpoint, it is more preferable to provide those maintainers the option to archive. 

Ultimately, a lot of open-source projects are abruptly discontinued, leaving consumers to wonder if they are still being maintained. The new system eliminates uncertainty and gives a clear indication of a project's state, which should increase transparency in open-source project management.
Read more »
Open Source System
Cyber Security Data Encryption data security database enterprise cybersecurity Enterprise security Open Source Open Source System

Why Enterprise Editions of Open Source Databases Are Essential for Large Organizations


With the digital age ushering in massive data flows into organizational systems daily, the real value of this data lies in its ability to generate critical insights and predictions, enhancing productivity and ROI. To harness these benefits, data must be efficiently stored and managed in databases that allow easy access, modification, and organization. 

Open-source databases present an attractive option due to their flexibility, cost savings, and strong community support. They allow users to modify the source code, enabling custom solutions tailored to specific needs. Moreover, their lack of licensing fees makes them accessible to organizations of all sizes. Popular community versions like MySQL, PostgreSQL, and MongoDB offer zero-cost entry and extensive support. 

However, enterprise editions often provide more comprehensive solutions for businesses with critical needs.  Enterprise editions are generally preferred over community versions for several reasons in an enterprise setting. A significant advantage of enterprise editions is the professional support they offer. Unlike community versions, which rely on forums and public documentation, enterprise editions provide dedicated, around-the-clock technical support. This immediate support is vital for enterprises that need quick resolutions to minimize downtime and ensure business continuity and compliance. 

Security is another critical aspect for enterprises. Enterprise editions of open-source databases typically include advanced security features not available in community versions. These features may encompass advanced authentication methods, data encryption, auditing capabilities, and more granular access controls. As cyber threats evolve, these robust security measures are crucial for protecting sensitive data and ensuring compliance with industry standards and regulations. Performance optimization and scalability are also key advantages of enterprise editions. They often come with tools and features designed to handle large-scale operations efficiently, significantly improving database performance through faster query processing and better resource management. 

For businesses experiencing rapid growth or high transaction volumes, seamless scalability is essential. Features such as automated backups, performance monitoring dashboards, and user-friendly management interfaces ensure smooth database operations and prompt issue resolution. Long-term stability and support are crucial for enterprises needing reliable database systems. Community versions often have rapid release cycles, leading to stability issues and outdated versions. 

In contrast, enterprise editions offer long-term support (LTS) versions, ensuring ongoing updates and stability without frequent major upgrades. Vendors offering enterprise editions frequently provide tailored solutions to meet specific client needs. This customization can include optimizing databases for particular workloads, integrating with existing systems, and developing new features on request. Such tailored solutions ensure databases align perfectly with business operations. 

While community versions of open-source databases are great for small to medium-sized businesses or non-critical applications, enterprise editions provide enhanced features and services essential for larger organizations. With superior support, advanced security, performance optimizations, comprehensive management tools, and tailored solutions, enterprise editions ensure that businesses can rely on their databases to support their operations effectively and securely. For enterprises where data integrity, performance, and security are paramount, opting for enterprise editions is a wise decision.
Read more »
Python-based Malware
Cyber Attacks Cyber Security Threats data security GitHub Open Source Python-based Malware

GitHub Under Siege: Unraveling the Ongoing Automated Attack on Open-Source Repositories

 

GitHub, a cornerstone for programmers worldwide, faces a severe threat as an unknown attacker deploys an automated assault, cloning and creating malicious code repositories. The attack, involving sophisticated obfuscation and social engineering, poses a significant challenge to GitHub's security infrastructure. 

An assailant employs an automated process to fork and clone existing repositories, concealing malicious code under seven layers of obfuscation. These rogue repositories closely mimic legitimate ones, contributing to the challenge of detection. Developers unknowingly forking affected repos unintentionally amplify the attack. 

Once a developer utilizes a compromised repository, a hidden payload begins unpacking layers of obfuscation, revealing malicious Python code and a binary executable. The code then initiates the collection of confidential data and login details, which are subsequently uploaded to a control server. Security provider Apiiro's research and data teams report a substantial surge in the attack since its inception in May of the previous year. 

While GitHub diligently removes affected repositories, its automation detection system struggles to catch all instances. With millions of uploaded or forked repositories, even a 1% miss-rate translates to potentially thousands of compromised repos still operational. Initially modest in scale, the attack has grown in size and sophistication, presenting challenges for GitHub's security measures. 

Researchers attribute the operation's success to GitHub's vast user base and the increasing complexity of the attack technique. The attack's intrigue lies in the fusion of sophisticated automated methods and exploiting simple human nature. While obfuscation techniques become more intricate, the attackers heavily rely on social engineering to confuse developers, compelling them to select the malicious code. 

This unintentional spread exacerbates the attack's impact and heightens the difficulty of detection. As of now, GitHub has not issued a direct comment on the ongoing attack. However, the platform released a general statement reassuring users of its commitment to security. The platform employs manual reviews, at-scale detection utilizing machine learning, and continuously evolves to counter adversarial attacks. 

GitHub's popularity as a vital resource for developers globally has inadvertently made it a target. The platform's open-source nature and extensive user base create vulnerabilities that attackers exploit. Resolving the issue entirely proves to be an uphill battle, with GitHub still grappling with the effectiveness of the assailant's methods. 

GitHub, a linchpin for the global programming community, faces a formidable challenge as an automated attack exploits its open-source framework and vast user base. The ongoing assault, characterized by sophisticated obfuscation and social engineering, underscores the complexities of securing such a widely used platform. GitHub's response and adaptation will be crucial in mitigating the impact and fortifying defenses against evolving cyber threats.
Read more »
Sensitive data
Data Breach DDOS Attacks Digital Age Malicious actor Open Source Sensitive data

Blender's Battle: Triumph Over DDoS Adversity

Open-source projects are now the foundation of innovation in a world where digital infrastructure is becoming more and more important. Even these groups, though, appear to be vulnerable to the constant threat of cyberattacks. The Blender Project was recently the target of Distributed Denial of Service (DDoS) assaults, which serve as a sobering reminder of the difficulties facing open-source endeavors in the digital age.

Blender, a versatile and powerful 3D creation suite, found itself in the crosshairs of a major DDoS attack, temporarily knocking its servers offline. The assault disrupted services, leaving users unable to access crucial resources. However, the Blender community, known for its resilience and collaborative spirit, swiftly rallied to address the challenge head-on.

The attack's origins remain shrouded in mystery, but the Blender Foundation acknowledged the incident through an official statement. They detailed the ongoing efforts to mitigate the impact and restore normalcy. Open source projects often operate on limited resources, making them susceptible targets for malicious actors. Despite this vulnerability, Blender's response underscores the dedication and determination of the open-source community to safeguard its assets.

Blender's official website (blender.org) became a focal point for concerned users seeking updates on the situation. The Blender Foundation utilized its communication channels to keep the community informed, ensuring transparency during the crisis. Users were encouraged to stay vigilant and patient as the team worked diligently to resolve the issue.

TechRadar reported on the severity of the attack, emphasizing the temporary unavailability of Blender's servers. The Verge also covered the incident, shedding light on the disruptive nature of DDoS attacks and their potential ramifications for widely-used platforms. Such incidents serve as a stark reminder of the importance of cybersecurity for digital infrastructure.

Despite the challenges posed by the DDoS onslaught, the Blender community's commitment to open-source principles emerged as a beacon of hope. The Blender Foundation's response exemplifies the resilience ingrained in collaborative endeavors. This incident reinforces the need for continued vigilance and proactive security measures within the open-source ecosystem.

As Blender emerges from this cyber crisis, it stands not only as a symbol of resilience but also as a reminder of the collective strength that open-source projects embody. The challenges posed by DDoS attacks have sparked a renewed commitment to fortifying the digital defenses of open-source initiatives. The Blender community's ability to weather this storm reflects the collaborative spirit that defines the open-source landscape, leaving us hopeful for a future where innovation can thrive securely in the digital realm.

Read more »
User Security
Application Cyber Security Open Source Open Source Software Security threats User Privacy User Security

Securing Open Source: A Comprehensive Guide

Open-source software has become the backbone of many modern applications, providing cost-effective solutions and fostering collaborative development. However, the open nature of these projects can sometimes raise security concerns. Balancing the benefits of open source with the need for robust security measures is crucial for organizations leveraging these resources.

In a comprehensive guide by CIO.com, strategies are outlined to ensure organizations get the most out of open source without compromising security. The emphasizes on the importance of proactive measures, such as regular security assessments, vulnerability monitoring, and code analysis. By staying informed about potential risks, organizations can mitigate security threats effectively.

One key aspect highlighted in the guide is the need for a well-defined open-source governance policy. This involves establishing clear guidelines for selecting, managing, and monitoring open-source components. Organizations can reduce the likelihood of introducing vulnerabilities into their systems by implementing a structured approach to open-source usage.

Snyk, a leading security platform, contributes to the conversation by emphasizing the significance of managing open-source components. Their series on open-source security delves into the intricacies of handling these components effectively. The importance of continuous monitoring, regular updates, and patch management to address vulnerabilities promptly.

Furthermore, the guide points out the value of collaboration between development and security teams. This interdisciplinary approach ensures that security considerations are integrated into the development lifecycle. By fostering communication and shared responsibility, organizations can build a culture where security is not an afterthought but an integral part of the development process.

Drift offers a unique perspective on enhancing security through intelligent communication to complement these insights. Their platform enables organizations to streamline interactions, facilitating quick responses to potential security incidents. In a landscape where rapid communication is key, tools like Drift can enhance incident response times, minimizing the impact of security breaches.

It takes careful balance to maximize the benefits of open source while upholding strict security guidelines. The tools offered by Drift, Snyk, and CIO.com address this issue comprehensively. Organizations can optimize the advantages of open source without compromising security by implementing proactive security measures, clearly establishing governance standards, and encouraging team cooperation.






Read more »
Windows-Based Devices
CSA Cyber Security Cybersecurity Logging Tool Open Source Resource-Poor Organizations Windows-Based Devices

CISA Unveils Logging Tool to Aid Resource-Scarce Organizations

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a security tool named "Logging Made Easy" with the aim of assisting organizations, particularly those with limited resources, in safeguarding their Windows-based devices and sensitive information.

This tool, provided as an open-source log management solution, is available free of charge to both public and private sector entities. It serves to proactively monitor potential threats, conduct retrospective investigations, and offer guidance for remedial actions in the event of a cyber incident. CISA's decision to relaunch and widen the availability of this tool comes after its initial development and upkeep by the United Kingdom's National Cyber Security Centre.

Chad Polan, the product manager for cyber shared services at CISA, emphasized the agency's objective to promote the implementation of cybersecurity measures that are demonstrably effective. This includes furnishing cybersecurity capabilities and services to bridge existing gaps. He highlighted the tool's relevance for organizations with substantial data holdings but limited resources to shield against cyberattacks.

The updated version of Logging Made Easy serves as a ready-to-use log management solution for organizations that previously utilized the service under the auspices of the U.K.’s National Cyber Security Centre. CISA is also extending access to new users seeking an accessible logging tool.

The service offers clear-cut installation instructions and can be seamlessly integrated into various logging and protective monitoring strategies. It incorporates preconfigured security detection rules to expedite responses to cyber incidents. Additionally, it includes coding designed to lower financial barriers for organizations aiming to implement fundamental logging and monitoring capabilities.

Lindy Cameron, CEO of the NCSC, commended the tool's track record, stating that it has "undeniably delivered results" and supported numerous defenders in safeguarding their networks.

CISA Director Jen Easterly underscored that this new service offering aligns with the agency's commitment to aiding resource-constrained organizations with limited defenses against cyber threats.

At present, the tool exclusively covers Windows-based devices. However, CISA has expressed openness to considering the potential expansion of the service to encompass additional operating systems in the future.
Read more »
Phishing Attacks
AI Tool Algorithm Artificial Intelligence FBI malware Open Source OpenAI Phishing Attacks

FBI Alerts: Hackers Exploit AI for Advanced Attacks

The Federal Bureau of Investigation (FBI) has recently warned against the increasing use of artificial intelligence (AI) in cyberattacks. The FBI asserts that hackers are increasingly using AI-powered tools to create sophisticated and more harmful malware, which makes cyber defense more difficult.

According to sources, the FBI is concerned that malicious actors are harnessing the capabilities of AI to bolster their attacks. The ease of access to open-source AI programs has provided hackers with a potent arsenal to devise and deploy attacks with greater efficacy. The agency's spokesperson noted, "AI-driven cyberattacks represent a concerning evolution in the tactics employed by malicious actors. The utilization of AI can significantly amplify the impact of their attacks."

Cybercriminals now have much easier access to the market thanks to AI and hacking tactics. It used to take a lot of knowledge and time to create complex malware, which restricted the range of assaults. Even less experienced hackers may now produce effective and evasive malware thanks to integrating AI algorithms with malware development.

The FBI's suspicions are supported by instances showing AI-assisted hacks' disruptive potential. protection researchers have noted that malware can quickly and automatically adapt thanks to AI, making it difficult for conventional protection measures to stay up. Because AI can learn and adapt in real time, hackers can design malware that can avoid detection by changing its behavior in response to changing security procedures.

The usage of AI-generated deepfake content, which may be exploited for sophisticated phishing attempts, raises even more concerns. These assaults sometimes include impersonating reliable people or organizations, increasing the possibility that targets may be compromised.

Cybersecurity professionals underline the need to modify defensive methods as the threat landscape changes. Cybersecurity expert: "The use of AI in cyberattacks necessitates a parallel development of AI-driven defense mechanisms." To combat the increasing danger, AI-powered security systems that can analyze patterns, find abnormalities, and react in real time are becoming essential.

Although AI has enormous potential to positively revolutionize industries, because of its dual-use nature, caution must be taken to prevent malevolent implementations. The partnership between law enforcement, cybersecurity companies, and technology specialists becomes essential in order to keep one step ahead of hackers as the FBI underscores the growing threat of AI-powered attacks.
Read more »
User Privacy
Malicious actor malware Open Source Tor Browser Trojan Attacks Trojanized Apps User Privacy

Trojanized Tor Browser Bundle Drops Malware

 

Cybersecurity experts are warning about a new threat in the form of trojanized Tor browser installers. The Tor browser is a popular tool used by individuals to browse the internet anonymously. However, cybercriminals have been able to create fake versions of the Tor browser that are infected with malware.

Recent reports suggest that cybercriminals have been distributing a trojanized version of the Tor browser, which installs cryptocurrency-stealing malware onto the victim's device. The malware is designed to steal the victim's crypto wallet keys and passwords, allowing the attacker to transfer funds out of the victim's account. This malware has been specifically targeting Russian-speaking users, distributed through a Russian-speaking forum.

As cybersecurity expert Kevin O'Brien stated in an interview with SC Magazine, "the security industry has been playing whack-a-mole with Tor-based attacks for years." He recommends that individuals only download the Tor browser from the official website and avoid downloading it from third-party sources.

The trojanized Tor browser installers are just one example of how cybercriminals constantly evolve their tactics to stay ahead of cybersecurity measures. Individuals and organizations need to remain vigilant, stay informed about the latest threats, and take the necessary precautions to protect themselves from these attacks. Regularly assessing the security posture, running security awareness campaigns, and ensuring that the right security technologies are in place to detect, prevent, and respond to attacks are important measures to take.

Organizations should educate their employees on how to spot fake versions of the Tor browser and other similar tools. They should encourage the use of official versions from trusted sources. In the words of the team at DarkReading, "It's always better to be proactive than reactive." Taking proactive measures can help individuals and organizations stay protected from cyber attacks.

The installers for the Tor browser that have been tampered with by cybercriminals are just one of the many methods they use to prey on unwary people and businesses. Individuals and organizations can better defend themselves against these attacks by remaining informed about the most recent risks and implementing preventative actions.

Read more »
Supply Chain
Cyber Security Data Open Source Safety Supply Chain

Open Source Software has Advantages, but Supply Chain Risks Should not be Overlooked

 

While app development is faster and easier, security remains a concern. In an era of continuous integration and deployment, DevOps, and daily software updates, open-source components are becoming increasingly important in the software development scene.

In a report released last year, silicon design automation firm Synopsys discovered that 97 percent of codebases in 2021 contained open source and that open source software (OSS) was present in 100 percent of audited codebases in four of 17 industries studied - computer hardware and chips, cybersecurity, energy, and clean tech, and the Internet of Things (IoT). The other verticals had at least 93 percent open source. It can contribute to increased efficiency, cost savings, and developer productivity.

"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.

However, the increasing use of open-source packages in application development opens the door for threat groups to use the software supply chain as a backdoor to a plethora of targets that rely on it.

Due to the widespread use of OSS packaging in development, many enterprises have no idea what is in their software. With so many different hands involved, it's difficult to know what's going on in the software supply chain. According to a VMware report from last year, concerns about OSS included the need to rely on a community to patch vulnerabilities, as well as the security risks that entails.

Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.

According to Badhwar, 95 percent of all vulnerabilities are found in "transitive dependencies," which are open source code packages that are pulled into projects rather than being chosen by developers.

"This is a huge arena, yet it's been largely overlooked," he warned.

Growing awareness of the threat

The use of open source software is not a new trend. According to Brian Fox, co-founder and CTO of software supply chain management vendor Sonatype and a member of the OpenSSF (Open Source Security Foundation) governing board, developers have been doing it for a dozen years or more.

According to Fox, developers assemble the source components and add business logic. As a result, open source becomes the software's foundation.

What has changed in recent years is the general awareness of it, not just among well-intentioned developers who are creating software from these disparate parts.

"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."

This was highlighted by the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the company's software system and inserted malicious code. Customers who downloaded and installed the code unknowingly during the update process were then compromised. Similar attacks followed, notably against Kaseya and Log4j.

Obtaining the image using Log4j

According to Fox, the Java-based logging tool is an example of the massive risk consolidation that comes with the widespread use of popular software components.

"It's a simple component way down [in the software] and it was so popular you can basically stipulate it exists in every Java application – and you would be right 99.99 percent of the time," he said. "As an attacker … you're going to focus on those types of things. If you can figure out how to exploit it, it makes it possible to 'spray and pray' across the internet – as opposed to in the '90s, when you had to sit down and figure out how to break each bespoke web application because they all had custom code."

Enterprises have "effectively outsourced 90 percent of your development to people you don't know and can't trust. When I put it that way, it sounds scary, but that's what's been happening for ten years. We're just now grappling with the implications of it."

Log4j also brought to light another issue in the software supply chain, awakening many to how reliant they are on OSS. Despite this, an estimated 29 percent of Log4j downloads are still of the vulnerable versions.

According to Sonatype analysis, the majority of the time a company uses a vulnerable version of any component, a fixed version of the component is available - but they don't use it. This indicates a need for more education. according to Fox. "96 percent of the problem is people keep taking the tainted food off the shelf instead of taking a cleaned-up one."

Concentrating on the repositories

Another OSS-related threat is the injection of malware into package repositories such as GitHub, Python Package Index (PyPI), and NPM. Cybercriminals are using dependency confusion and other techniques to create malicious versions of popular code in order to trick developers into including the code in their software.

They may use an underscore instead of a dash in their code to confuse developers into selecting the incorrect component.

"The challenge with this is that the attack happens as soon as the developer downloads that component and these downloads happen by the tools," Fox said. "It's not like they're literally going to a browser and downloading it like the old days, but they're putting it into their tool and it happens behind the scenes and it might execute this malware.

"The sophistication of the attacks is low and these malware components don't even often pretend to be a legitimate components. They don't compile. They're not going to run the test. All they do is deliver the payload. It's like a smash-and-grab."

Defenses are being strengthened.

Despite the security risks associated with OSS, there are benefits to using it. According to Fox, it is more visible and transparent than commercial software. He cited the response to the Log4j vulnerabilities: the Log4j team produced a fix in a matter of days, which commercial organizations were unlikely to be able to do.

Mike Parkin, the senior technical engineer at Vulcan Cyber, agreed that having more eyes on the code through open source can help mitigate cyber threats, but it also makes it easier for potential attackers.

That said, "historically the tradeoff has usually favored the open source developers," Parkin told The Register.

The SolarWinds attack highlighted the importance of software supply chain security. Building on US President Biden's 2021 Cybersecurity Executive Order, the White House ordered [PDF] federal agencies in September 2022 to follow NIST guidelines when using third-party software, including self-attestation and software bills of materials (SBOMs) by software vendors.

Vendors are working on a variety of initiatives to strengthen the security of the software supply chain. These include the rise of multi-vendor frameworks such as the Open Software Supply Chain Attack Reference, tools such as the Vulnerability Exploitability Exchange (VEX), and other cybersecurity vendor products.

Still, Sonatype's Fox would like to see other steps taken, such as requiring software manufacturers to recall defective software components. They are currently designed to create an SBOM. Fox compared it to car manufacturers only having to provide buyers with a list of vehicle parts, which can then be stuffed into a glove box and forgotten about, with no obligation to recall the vehicle if any of those parts are faulty.

"What we really need is something to basically mandate that they can do a recall, because that implies that they know all the parts and where they ship them and which versions of the applications have which open source dependencies, but it also means they're actually managing it and looking out for that," he said. "That drives you towards that proper behavior."

Fox wishes to concentrate on the actual maintenance of the OSS packages. Governments are moving in that direction, he said, noting that the EU's Cyber Resilience Act mentions the need for recalls, albeit without using the exact words. According to Fox, the Biden administration may be warming up to the idea.

He is also considering component-level firewalls, which work similarly to packet-level firewalls in that they can inspect network traffic and block malicious traffic before an attack can begin. Similarly, a component-level firewall could prevent malicious code from infiltrating the software.

"If you don't even know what's in your software to start with, you probably have no visibility into what's going on with the malware, which is almost a worse problem because it's not just the vulnerability that's latent, waiting for somebody to exploit," he said. "It's causing harm the moment you touch it. Not enough people are really getting their head around that part of the problem either."

The Nexus Firewall, which Fox said was inspired by credit card fraud protection, was built into Sonatype's platform. The firewall recognizes normal behavior and can detect abnormal behavior using artificial intelligence and machine learning techniques. More than 108,000 malicious attack attempts were detected by the firewall in 2022.

"So many organizations don't even know that this is a problem," he said. "It's where the game is happening right now and the attackers are kind of having a field day, unfortunately."

It is necessary to have both SBOM and firewall-like capabilities.

"Yes, you need to know where all those parts are, so when the next Log4j happens, you can remediate it immediately and not have to start triaging thousands of applications," Fox argued. "But that's not going to stop these malicious attacks. You also need to be perfect protecting the factory."


Read more »
Subscribe to: Posts (Atom)