tux-hacker
The incident at XZ will undoubtedly leave a mark which will be remembered for many years and is that, as mention at the time In one of the articles where we share the follow-up of the incident, «the work done by Jia Tan es one of the best examples of applied social engineering» and that will be the basis for many other attempts and cases that will become known in the future.
Esto It is something that both developers, projects and foundations are very clear about at this time., and that despite the great efforts and changes they implement, there are many packages and projects that lack personnel and the maintainers they have can fall into something similar to what happened to XZ.
These cases have already begun to occur and the OpenSSF (Open Source Security Foundation, an entity created under the auspices of the Linux Foundation to improve the security of open source software) You have already started to notice this type of activity, as it recently issued a warning to the community about worrying activities related to attempts to take control of popular open source projects.
En An incident similar to the attack on xz, it was discovered that unknown individuals previously in open source development attempted to manipulate and control open source software projects. These individuals used social engineering methods to communicate with members of the governing council from the OpenJS Foundation, a neutral platform for developing JavaScript projects.
These individuals included third-party developers with dubious track records in open source development. In their messages, they were trying to persuade OpenJS management about the urgent need to update one of the popular JavaScript projects. They claimed that the update was necessary to add protection against critical vulnerabilities, although they did not provide specific details about these vulnerabilities.
To implement the proposed changes, the suspect developer offered to be included among the project's maintainers, despite having had a limited role in the development up to that point. Additionally, similar cases of suspicious code attempts were detected in two other popular JavaScript projects not associated with OpenJS.
This is why the OpenSSF (Open Source Security Foundation) and OpenJS (OpenJS Foundation) have issued a warning All developers and maintainers of open source projects should be on the lookout for the following suspicious patterns that could indicate an attempt to take control of the project.
How to protect your open source project?
The OpenSSF mentions that due to the collaborative nature of open source projects, this makes them prone to a series of vulnerabilities that attackers can take advantage of, which is why it shares a list of the most common vulnerabilities that attackers take advantage of to apply social engineering.
Suspicious patterns in attempts:
- Outdated dependencies: One of the most common vulnerabilities is the use of outdated dependencies.
- Friendly but aggressive and persistent behavior: A relatively unknown community member seeks to go after the maintainer or the entity that hosts it (foundation or company).
- Request to be elevated in rank: New or unknown people apply for promotion without having a significant history of contributions to the project.
- Endorsement from other unknown community members: Attackers can use false identities to support their requests and create a false sense of trust.
- Pull Requests: Malicious files may be hidden within binaries or blobs, making them difficult to detect.
- Intentionally obfuscated or difficult to understand source code: The goal is to make code review difficult and hide potential vulnerabilities.
- Gradual escalation of security problems: The attacker may start by introducing minor vulnerabilities and then escalate to more serious problems.
- Deviation from typical project compilation, construction and deployment practices: These deviations can allow malicious code to be inserted into the binaries.
False sense of urgency: The attacker can create an environment of urgency to pressure the maintainer to perform a cursory review of the code.
These social engineering attacks seek to take advantage of the sense of duty that maintainers have towards their projects and communities to manipulate them, since by generating pressure to introduce changes, solve vulnerabilities or give greater trust to a member in a very Insistent, they make the person or people in charge end up giving in before verifying or carrying out the relevant tests.
If you are iInterested in learning more about it, you can check the details in the following link.