Fraud Management & Cybercrime , Social Engineering

After XZ Utils, More Open-Source Maintainers Under Attack

Fresh Social Engineering Attacks Resemble Tactics Used Against XZ Utils Maintainer
After XZ Utils, More Open-Source Maintainers Under Attack
A hacker nearly succeeded in inserting a backdoor into an open-source utility, sparking a search for similiar attempts. (Image: Shutterstock)

Major open-source software projects are warning that attempts at inserting backdoors throughout the open-source ecosystem could be rife after a hacker came within a hairsbreadth of succeeding with a low-key but widely used utility.

See Also: From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

The OpenJS Foundation reports being recently targeted by a social engineering attack reminiscent of the malicious subversion of XZ Utils discovered last month. The foundation promotes and hosts 35 critical JavaScript projects - including Appium, Dojo, jQuery, Node.js and webpack - used by many of the world's websites and their billions of users.

Members of the OpenJS Foundation Cross Project Council recently "received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," says a joint statement issued by the Open Source Security Foundation and the OpenJS Foundation.

"These emails implored OpenJS to take action to update one of its popular JavaScript projects to 'address any critical vulnerabilities,' yet cited no specifics," Robin Bender Ginn, executive director of the OpenJS Foundation, and Omkhar Arasaratnam, general manager of the Open Source Security Foundation, said in the statement. The goal of the attacks appears to be to secure maintainer rights for the senders, despite them "having little prior involvement."

While OpenJS gave them no such access, they said the attack attempt wasn't isolated, and members of OpenJS also spotted "a similar suspicious pattern in two other popular JavaScript projects" that the foundation doesn't host - and which it declined to name. After seeing the attempts, OpenJS "immediately flagged the potential security concerns to respective OpenJS leaders" and reported them to the U.S. Cybersecurity and Infrastructure Security Agency.

In a statement, CISA told Information Security Media Group: "We're going to refer back to OSSF for this inquiry."

The malicious attempts to gain maintainer rights to open-source projects mirror the recently discovered backdooring of XZ Utils, a set of open-source tools and libraries for the XZ compression format included in nearly every major Linux distribution.

An attacker maliciously inserted into liblzma library, a part of the XZ package, a sophisticated vulnerability now designated as CVE-2024-3094. The malicious code is designed to facilitate complete remote access to a system via SSHD, the OpenSSH server process, after which an attacker could likely run arbitrary code on the system and completely compromise it.

The vulnerability came to light March 29 thanks to Andres Freund, a Microsoft engineer, who found an SSH performance problem in a beta version of a Linux operating system and traced it to the backdoor. The malicious code was just weeks away from ending up in general releases of major Linux distributions, including Debian and Red Hat Linux.

"The level of sophistication of the XZ attack is very impressive," said Thomas Roccia, a senior security researcher at Microsoft who has published a visual summary of the multistage exploit.

Timing-wise, "we got really, really lucky," security expert Bruce Schneier said of Freund's fortuitous discovery.

The successful attack begs the question of how many open-source software projects haven't been so lucky. "I simply don't believe this was the only attempt to slip a backdoor into a critical piece of internet software, either closed source or open source," Schneier said (see: Russian State Hackers Penetrated Microsoft Code Repositories).

The XZ Utils backdooring appeared to be the result of a two-year, sophisticated and "patient" intelligence operation that targeted the individual maintaining XZ in his spare time, Lasse Collin, and "invested more resources into subverting him than anyone invested into his project," said the operational security expert known as The Grugq.

The backdoor code was added into XZ Utils by "Jia Tan," which investigators suspect was a persona created by attackers as they socially engineered Lasse into granting them the right to directly update the XZ codebase. Investigators have yet to attribute the attackers' identities.

All open-source projects should beware similar types of social engineering, the Open Source Security Foundation and the OpenJS Foundation warned.

"Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open-source maintainers," Ginn and Arasaratnam said.

As part of that effort, they're asking maintainers to be on the lookout for a lengthy list of "suspicious patterns." These include outreach by "relatively unknown members of the community" seeking "maintainer status," "friendly yet aggressive and persistent pursuit" of either the maintainer or the entity who hosts the project, and attempts to stoke "a false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control."

OpenSSF also detailed multiple best practices that open-source maintainers and project teams can follow to better repel social engineering attempts. These include using existing OpenSSF security guides, employing strong authentication to safeguard projects whenever possible and using coordinated vulnerability disclosure, among other steps.

But the "primary deterrent" against social engineers who attempt to subvert open-source software remains better supporting the individuals and teams who maintain the software, for which more much "global public investment" is required, said Ginn and Arasaratnam.

As examples to build on, they lauded the Linux Foundation and its associated foundations that already help to support code maintainers, including via projects such as Alpha-Omega, which is associated with the OpenSSF and funded by Amazon, Google and Microsoft.

They also pointed to the example set by Germany's Sovereign Tech Fund, via which the country's Federal Ministry for Economic Affairs and Climate Action finances critical open-source software projects, backed by accountability for how those resources are being used.

"Many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back," Ginn and Arasaratnam said. "To solve a problem of this scale, we need vast resources and public/private international coordination."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.