Social engineering takeover attacks are on the rise

OpenSSF and the OpenJS Foundation (home to JavaScript projects used by billions of websites worldwide) are alerting open-source project maintainers of social engineering takeover attacks, following new attack attempts they’ve witnessed similar to the XZ Utils incident.

The OpenJS Cross Project Council received suspicious emails, imploring OpenJS to update one of its popular JavaScript projects to address critical vulnerabilities, but cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears a strong resemblance to how "Jia Tan" positioned itself in the XZ/liblzma backdoor.

OpenJS also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation and immediately flagged the potential security concerns to respective OpenJS leaders and CISA.

Social engineering takeover attacks pose a major risk to the open-source software community

Chris Hughes - chief security advisor at open source security company, Endor Labs and Cyber Innovation Fellow at CISA, where he focuses on supply chain security - says these attack attempts are not surprising, but they do raise awareness of bigger OSS security issues.

He said: "It is not surprising at all to hear about these increased social engineering takeover attempts. These will increase with the recent xz utilities example providing insight to malicious actors on how to conduct this attack. Additionally, we can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilizing social engineering attacks on them isn’t surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases. If done well by the attackers, it may be difficult for the maintainers to determine which involvement is from those interested in collaborating and contributing to projects versus those with malicious intent. 

"This poses a massive risk to the open source and software community at large. It is estimated that 25% of all OSS projects have a single maintainer and 94% have less than 10. This means many projects are likely in need of help, so attackers can capitalize on the psychological and social aspects of maintainers to compromise legitimate packages and projects. It is also difficult to determine when attackers have been successful and inject malicious code into the projects or components without rigorous examination in many cases. Most organizations are not performing this level of due diligence on the components and projects they use and integrate into their software, not to mention lack transparency into what components their product vendors have integrated into products and which components may be compromised or vulnerable to these types of attacks.

"OpenSSF makes some solid recommendations - both technical such as MFA and password management and authentication - and also related to social risks, such as knowing your committers and maintainers. However, it is common for folks to operate with pseudonyms and taglines, rather than real names, and anyone can quickly create accounts and contribute or develop code, so it can be hard to distinguish malicious actors from legitimate OSS contributors and enthusiasts. This is especially true in cases where they play a long game and perform legitimate code contributions and activity over a long period of time to build a reputation and social capital to make their malicious activities harder to identify when they do carry them out.

"This raises awareness of the larger issue of how opaque the OSS ecosystem is. Components and projects that run the entire modern digital infrastructure are often maintained by unknown aliases and individuals scattered around the globe. Furthermore, many OSS projects are maintained by a single individual or small group of individuals – often in their spare time as a hobby or passion project and typically without any sort of compensation.

"This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on."