The Open Source Security Foundation (OpenSSF) and the OpenJS Foundation, which backs multiple JavaScript-based open source software (OSS) projects, have warned that the attempted social engineering observed earlier in April 2024 against the XZ Utils data compression library may not be an isolated incident.
The XX Utils attack saw a threat actor known as JiaTan infiltrate the XZ Utils project over a multiple-year period, becoming trusted by the project maintainers and contributing legitimate updates to the software before trying to sneak in a backdoor vulnerability, CVE-2024-3094, which could have caused carnage had it not been for the swift actions of an eagle-eyed researcher.
Now, OpenSSF and OpenJS are calling for all open source maintainers to be alert for similar takeover attempts after the OpenJS Cross Project Council received multiple suspicious emails imploring them to update one of its projects to address critical vulnerabilities without citing any specific details.
Robin Bender Ginn, OpenJS Foundation executive director, and Omkhar Arasaratnam, OpenSSF general manager, said that the authors of the emails, which bore different names but came from overlapping GitHub-associated accounts, wanted to be designated as project maintainers despite having little prior involvement, similar to how JiaTan was able to weasel their way into the XZ Utils project.
They added that OpenJS team also became aware of a similar pattern at two other widely-used JavaScript projects that it doesnt host itself, and has flagged the potential security risk to respective OpenJS leaders, as well as the US cyber security authorities.
None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundations security working group, wrote Bender Ginn and Arasaratnam in a joint blog post detailing the attack.
Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a quick fix to any problem.
Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source, they said.
Among other things, OSS project members should be alert to friendly, yet aggressive and persistent pursuit of maintainer status by any new or relatively unknown community members, new requests to be elevated, and endorsement from other unknown community members, which may potentially be sockpuppet accounts.
Members should also be aware of pull requests (PRs) that contain blobs as artifacts the XX backdoor was a file that wasnt human readable, not source code; intentionally obfuscated or hard to understand source code; security issues that seem to escalate slowly the XZ attack started with a relatively innocuous test amendment; deviation from typical project compile, build and deployment procedures; and a false sense of urgency, particularly if someone appears to be trying to convince a maintainer to bypass a control or speed up a review.
These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them, wrote Bender Ginn and Arasaratnam. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etcetera, might be part of a social engineering attack.
Social engineering attacks can be difficult to detect or protect against via programmatic means as they prey on human emotions and trust, so in the short term, it is also important to share as much information about possible suspicious activity as possible, without shame or judgment, so that community members can learn protective strategies.
Chris Hughes, Endor Labs chief security officer and a cyber innovation fellow at the Cybersecurity and Infrastructure Security Agency (CISA), said he was unsurprised to hear about more widespread social engineering attacks against the open source world moreover given the XZ attack received significant publicity, it is likely that other malicious actors will try similar tactics going forward.
We can likely suspect that many of these are already underway and may have already been successful but havent been exposed or identified yet. Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilising social engineering attacks on them isnt surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases, he said.
If done well by the attackers, it may be difficult for the maintainers to determine which involvement is from those interested in collaborating and contributing to projects versus those with malicious intent.
More generally, warned Hughes, this poses a massive risk to the open source community in general, with around a quarter of all open source projects having just one maintainer, and 94% less than 10. This risk then carries forward into organisations that use open source software components in their software.
This raises awareness of the larger issue of how opaque the OSS ecosystem is. Components and projects that run the entire modern digital infrastructure are often maintained by unknown aliases and individuals scattered around the globe. Furthermore, many OSS projects are maintained by a single individual or small group of individuals often in their spare time as a hobby or passion project and typically without any sort of compensation.
This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on, he said.
Originally posted here:
More social engineering attacks on open source projects observed - ComputerWeekly.com
- 10 books thatll help you become a better software engineer - The Next Web [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Total hands out UKCS engineering framework deals to trio of consultants - News for the Oil and Gas Sector - Energy Voice [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Prometheus: Why The Engineers Were Heading To Earth | Screen Rant - Screen Rant [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Management CEMETERY SUPERINTENDENT The City of Gibbon is currently accepting - Kearney Hub [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Transportation Engineering and Safety Conference to be held Dec. 9-11 - Penn State News [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- 'Bending' light to engineer improved optical devices and circuits - ND Newswire [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- UC Merced Engineering Center to Focus on Ag Technology - AG INFORMATION NETWORK OF THE WEST - AGInfo Ag Information Network Of The West [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Head of Engineering Maintenance job with DURHAM UNIVERSITY | 233561 - Times Higher Education (THE) [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Civil Engineering student part of National Women in Engineering "Dream Team" panel - uoflnews.com [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Breaking News - Engineering at Its Best... and Worst: Don't Miss the Return of Science Channel's Hit Series "Deadly Engineering" and... [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Tesla is No. 1 most attractive company for engineering students, and thats a massive advantage - Electrek [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Wolves alter wetland creation and recolonization by killing ecosystem engineers - UMN News [Last Updated On: November 17th, 2020] [Originally Added On: November 17th, 2020]
- Global Automotive Simulation Market To Witness Astonishing Growth 2026 | Altair Engineering Inc., ANSYS Inc., PTC, Siemens AG, Autodesk Inc.,... [Last Updated On: November 17th, 2020] [Originally Added On: November 17th, 2020]
- Engineers Without Borders urges industry reflection - The Engineer [Last Updated On: November 17th, 2020] [Originally Added On: November 17th, 2020]
- 9 Engineers on the Hardest Song They Ever Mixed - Vulture [Last Updated On: November 17th, 2020] [Originally Added On: November 17th, 2020]
- Daewoo Engineering and Construction and SPH Engineering disclose AI partnership - sUAS News [Last Updated On: November 17th, 2020] [Originally Added On: November 17th, 2020]
- TRIPLE EIGHT BATHURST WINNING ENGINEER TO JOIN WAU - Auto Action [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- First-year engineering classes for Anna University affiliated colleges take the e-way from today - The New Indian Express [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- Datafold raises seed from NEA to keep improving the lives of data engineers - TechCrunch [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- Tech has overtaken engineering as Bristol's fastest-growing industry with more than $1.07bn invested in the city since 2014 - Business Leader [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- Start 2021 as an electrical engineer with this training for less than $20 - Boing Boing [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- The Global Engineering Plastics Market is expected to grow by $ 43.00 bn during 2020-2024 progressing at a CAGR of 8% during the forecast period -... [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- Elementary students test their engineering skills with Mayflower project - williamsonherald.com [Last Updated On: November 24th, 2020] [Originally Added On: November 24th, 2020]
- Global Architectural Engineering and Construction Solutions (AECS) Market 2020-2024 | Market Analysis, Drivers, Restraints, Opportunities, and Threats... [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- American Institute of Chemical Engineers Celebrates Organizations and Leaders for Doing a World of Good - GlobeNewswire [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- 2 Texas Engineers Honored Among Top Inventors in US - UT News - UT News | The University of Texas at Austin [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- Chemical engineering alumna named Woman of the Year in Engineering - Penn State News [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- 14 Largest Engineering Companies In The World - Yahoo Finance [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- Vails namesake was a controversial state highway engineer - The Grand Junction Daily Sentinel [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- The Next Frontier of Learning Engineering: AI That Teaches Other AI - EdSurge [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- $496M Contract Will Give DOD Engineering Capabilities, Official Says - Nextgov [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- William H. Robinson has a 'new and expanded leadership' post at Vanderbilt University - BlackEngineer.com [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- Di Appointed to Lead Computer Science and Computer Engineering - University of Arkansas Newswire [Last Updated On: December 14th, 2020] [Originally Added On: December 14th, 2020]
- English is easier: India is woefully underprepared to teach engineering in regional languages - The Times of India Blog [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- VW Bolsters U.S. Footprint With Advancements In Electric Car Portfolio, Infrastructure And Engineering - CarScoops [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- These 4 Measures Indicate That SIA Engineering (SGX:S59) Is Using Debt Reasonably Well - Simply Wall St [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- New engineering business opens its doors in Netherton despite the pandemic - expressandstar.com [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- 'Earables' the next milestone in wearable tech, say engineers - E&T Magazine [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- Senior Lecturer in Mechanical Engineering job with BIRMINGHAM CITY UNIVERSITY | 238845 - Times Higher Education (THE) [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- New collaboration provides opportunity for future water scientists and engineers - Cranfield University [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- Box Opens Research and Development Engineering Site in Warsaw, Poland - Business Wire [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- Engineering and Technology Management students achieve high pass rate on certification exam - Morehead State University News [Last Updated On: December 15th, 2020] [Originally Added On: December 15th, 2020]
- Hydram Engineering warns Covid-19 and Brexit will dent its turnover - Business Live [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- Calculating The Intrinsic Value Of Watts International Maritime Engineering Limited (HKG:2258) - Simply Wall St [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- Is Suprajit Engineering Limited's (NSE:SUPRAJIT) Stock's Recent Performance A Reflection Of Its Financial Health? - Simply Wall St [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- Engineering CAD Software Market is Flourishing due to Rising Emergence of Technical Implementation Drives Growth by 2027 | TurboCAD, SketchUp,... [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- Apple vs. Tesla: Which Offers Software Engineers the Biggest Salaries? - Dice Insights [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- From the classroom: Mechanical engineering at global top 10 uni - Study International News [Last Updated On: January 4th, 2021] [Originally Added On: January 4th, 2021]
- 'A lot of unknowns': Grass Valley Assistant City Engineer Bjorn Jones said the city has adapted under the pandemic - The Union of Grass Valley [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Associate Professor in Broadcast Engineering job with BIRMINGHAM CITY UNIVERSITY | 243677 - Times Higher Education (THE) [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- CORRECTING and REPLACING: KCI, One of the Top Engineering Firms in the US, Adopts ProStar's PointMan SaaS Solution for SUE - Business Wire [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Purdue's online engineering graduate programs again rank in the top 3 nationally - Purdue News Service [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Faculty Positions of Intelligent Engineering and Microelectronics job with South China University of Technology (SCUT) | 314652 - The Chronicle of... [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Examining the Engineering of the Kasukabe Reservoir in Japan - Interesting Engineering [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Home - Springer [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- SIA Engineering ekes out small profit in third quarter - Flightglobal [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- ST Engineering Launches Anti-Microbial Solution Approved for Use in Cabin Interiors - AviationPros.com [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- Journey Engineering announces the addition of a new VP and Principal, Projects and Engineering - BOE Report [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- K-2 Ventures Advises Mark Two Engineering on Its Sale to CORE Industrial Partners - Business Wire [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- Global Engineering Liability Insurance Market latest demand by 2020-2025 with leading players & COVID-19 Analysis KSU | The Sentinel Newspaper -... [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- First recipient of the Black Engineer of the Year Award is appointed Deans' Professor in Education and Engineering - BlackEngineer.com [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- Google will pay $2.5 million to underpaid female engineers and overlooked Asian applicants - The Verge [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- Clay County teen whose dream is to be an astronaut introduces other girls to STEM pursuits - The Florida Times-Union [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- Universal Engineering Sciences Strengthens Western Expansion By Acquiring Construction Testing & Engineering, Inc., In Southern California -... [Last Updated On: February 2nd, 2021] [Originally Added On: February 2nd, 2021]
- U.S. Navy Has Patents on Tech It Says Will Engineer the Fabric of Reality - VICE [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Cummins and Isuzu collaborate on mid-range powertrains and advanced engineering - Engine Technology International [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Liberty engineering teams helmet prototype earns second place in NFLs 1st and Future competition - WFXRtv.com [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- FM Global executive on the insurer's risk-engineering based approach - Insurance Business Australia [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Black former NASA engineer: We have to teach our children well - WFXRtv.com [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Cummins and Isuzu announce global mid-range powertrain and advanced engineering collaboration - Automotive World [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- University of Iowa College of Engineering receives diversity recognition, but still has work to do - UI The Daily Iowan [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Darin Gray Named Engineer of the Year - USC Viterbi | School of Engineering - USC Viterbi School of Engineering [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Rubrik transitions to new phase as sales and engineering heads leave Blocks and Files - Blocks and Files [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- A*Star scientist Jackie Ying elected to prestigious US engineering academy based on work in Singapore - The Straits Times [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- A Disillusioned ExxonMobil Engineer Quits to Take Action on Climate Change and Stop Making the World Worse - InsideClimate News [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- USC Junior Advances Communities By Engineering Infrastructures That Serve The People - USC Viterbi | School of Engineering - USC Viterbi School of... [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- Join us on Saturday, Feb. 13 at 7:00 pm EST for the Black Engineer of the Year Awards - BlackEngineer.com [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- Sebastian Ceria Elected to the National Academy of Engineering - Salamanca Press [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- Three Harvard Professors Elected to the National Academy of Engineering | News - Harvard Crimson [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]
- Newsmaker: South Shore native working on NASA space telescope - The Patriot Ledger [Last Updated On: February 14th, 2021] [Originally Added On: February 14th, 2021]