Dangerous new trend in open source vulnerability

By Marilyn de Villiers
Johannesburg, 04 Oct 2018
Hackers are exploiting open source components by injecting vulnerabilities directly into them.
Hackers are exploiting open source components by injecting vulnerabilities directly into them.

A new report from Sonatype has revealed a dangerous new trend where hackers are capitalising on the popularity of open source and injecting vulnerabilities directly into open source components.

This according to new research released last week by Sonatype, an enterprise software company that helps accelerate software innovation and build more secure software.

According to its 2018 DevSecOps Community Survey, exploits of vulnerable open source software components are increasing. In fact, nearly a third of companies said they had suffered a breach stemming from the use of vulnerable open source components.

Published as the State of the Software Supply Chain Report, the survey captured input from over 2 000 IT professionals.

According to Sonatype, IT leaders are under immense pressure to accelerate the pace of software innovation, and are bringing 'armies' of software developers on board, who are consuming 'unprecedented amounts of open source components', to the tune of 300 billion over the past year.

However, a high percentage of these contain known security vulnerabilities. For example, no fewer than 10% of 3.5 million Java components in the Central Repository contained at least one known vulnerability, with Sonatype researchers identifying over 3 million vulnerabilities in total across those components.

The Central Repository, also known as Maven Central, is the largest repository for Java software components and is operated by Sonatype.

Immediate attacks

One of the reasons that hackers directly inject vulnerabilities into open source project releases and container images is to be able to launch an immediate attack almost as soon as the source components are deployed into production.

Sonatype says this 'dangerous new trend', that is threatening to change the face of hack attacks, has emerged over the past 18 months.

"This shifts adversary behaviour from a wait-then-prey to a design-in-then-exploit style of attack," the report explains.

This is believed to be one of the reasons for the dramatic decline in time required for hackers to exploit a new disclosed open source vulnerability, from 45 days to just three, a compression of 93.5%.

"This harsh reality establishes a new normal for software supply chain management and demands that organisations are prepared to do three things within 48 hours of a new public disclosure: assess which, if any, of their production applications are exploitable, establish a comprehensive plan to remediate potential exposure, and implement necessary fixes in production," the report adds.

Mining crypto-currencies

In addition, the target of attacks is also shifting.

In the past, most successful breaches involved hackers taking control of applications and stealing data, a lucrative but risky operation as it required the hackers to find a willing buyer, which increased the chance of their being caught.

Now, according to the report, cyber criminals are increasingly turning their attention to crypto-currencies. Encouraged by the rising popularity and value of crypto-currencies, they are exploiting open source to steal computing resources that allow them to actively mine crypto-currency.

By exploiting the vulnerabilities in applications built with Apache Struts, the same vulnerabilities that led to the notorious Experian hack, it's estimated that hackers walked away with at least $100 000 in crypto-currency.

Another example of crypto hacking was discovered in December 2017 when a sophisticated multi-staged attack that targeted internal networks that used the EternalBlue and EternalSynergy exploits, mainly responsible for the WannaCry ransomware attacks, was identified.