Open-source projects are now the foundation of innovation in a world where digital infrastructure is becoming more and more important. Even these groups, though, appear to be vulnerable to the constant threat of cyberattacks. The Blender Project was recently the target of Distributed Denial of Service (DDoS) assaults, which serve as a sobering reminder of the difficulties facing open-source endeavors in the digital age.
Blender, a versatile and powerful 3D creation suite, found itself in the crosshairs of a major DDoS attack, temporarily knocking its servers offline. The assault disrupted services, leaving users unable to access crucial resources. However, the Blender community, known for its resilience and collaborative spirit, swiftly rallied to address the challenge head-on.
The attack's origins remain shrouded in mystery, but the Blender Foundation acknowledged the incident through an official statement. They detailed the ongoing efforts to mitigate the impact and restore normalcy. Open source projects often operate on limited resources, making them susceptible targets for malicious actors. Despite this vulnerability, Blender's response underscores the dedication and determination of the open-source community to safeguard its assets.
Blender's official website (blender.org) became a focal point for concerned users seeking updates on the situation. The Blender Foundation utilized its communication channels to keep the community informed, ensuring transparency during the crisis. Users were encouraged to stay vigilant and patient as the team worked diligently to resolve the issue.
TechRadar reported on the severity of the attack, emphasizing the temporary unavailability of Blender's servers. The Verge also covered the incident, shedding light on the disruptive nature of DDoS attacks and their potential ramifications for widely-used platforms. Such incidents serve as a stark reminder of the importance of cybersecurity for digital infrastructure.
Despite the challenges posed by the DDoS onslaught, the Blender community's commitment to open-source principles emerged as a beacon of hope. The Blender Foundation's response exemplifies the resilience ingrained in collaborative endeavors. This incident reinforces the need for continued vigilance and proactive security measures within the open-source ecosystem.
As Blender emerges from this cyber crisis, it stands not only as a symbol of resilience but also as a reminder of the collective strength that open-source projects embody. The challenges posed by DDoS attacks have sparked a renewed commitment to fortifying the digital defenses of open-source initiatives. The Blender community's ability to weather this storm reflects the collaborative spirit that defines the open-source landscape, leaving us hopeful for a future where innovation can thrive securely in the digital realm.
Open-source software has become the backbone of many modern applications, providing cost-effective solutions and fostering collaborative development. However, the open nature of these projects can sometimes raise security concerns. Balancing the benefits of open source with the need for robust security measures is crucial for organizations leveraging these resources.
In a comprehensive guide by CIO.com, strategies are outlined to ensure organizations get the most out of open source without compromising security. The emphasizes on the importance of proactive measures, such as regular security assessments, vulnerability monitoring, and code analysis. By staying informed about potential risks, organizations can mitigate security threats effectively.
One key aspect highlighted in the guide is the need for a well-defined open-source governance policy. This involves establishing clear guidelines for selecting, managing, and monitoring open-source components. Organizations can reduce the likelihood of introducing vulnerabilities into their systems by implementing a structured approach to open-source usage.
Snyk, a leading security platform, contributes to the conversation by emphasizing the significance of managing open-source components. Their series on open-source security delves into the intricacies of handling these components effectively. The importance of continuous monitoring, regular updates, and patch management to address vulnerabilities promptly.
Furthermore, the guide points out the value of collaboration between development and security teams. This interdisciplinary approach ensures that security considerations are integrated into the development lifecycle. By fostering communication and shared responsibility, organizations can build a culture where security is not an afterthought but an integral part of the development process.
Drift offers a unique perspective on enhancing security through intelligent communication to complement these insights. Their platform enables organizations to streamline interactions, facilitating quick responses to potential security incidents. In a landscape where rapid communication is key, tools like Drift can enhance incident response times, minimizing the impact of security breaches.
It takes careful balance to maximize the benefits of open source while upholding strict security guidelines. The tools offered by Drift, Snyk, and CIO.com address this issue comprehensively. Organizations can optimize the advantages of open source without compromising security by implementing proactive security measures, clearly establishing governance standards, and encouraging team cooperation.
The Federal Bureau of Investigation (FBI) has recently warned against the increasing use of artificial intelligence (AI) in cyberattacks. The FBI asserts that hackers are increasingly using AI-powered tools to create sophisticated and more harmful malware, which makes cyber defense more difficult.
According to sources, the FBI is concerned that malicious actors are harnessing the capabilities of AI to bolster their attacks. The ease of access to open-source AI programs has provided hackers with a potent arsenal to devise and deploy attacks with greater efficacy. The agency's spokesperson noted, "AI-driven cyberattacks represent a concerning evolution in the tactics employed by malicious actors. The utilization of AI can significantly amplify the impact of their attacks."
Cybercriminals now have much easier access to the market thanks to AI and hacking tactics. It used to take a lot of knowledge and time to create complex malware, which restricted the range of assaults. Even less experienced hackers may now produce effective and evasive malware thanks to integrating AI algorithms with malware development.
The FBI's suspicions are supported by instances showing AI-assisted hacks' disruptive potential. protection researchers have noted that malware can quickly and automatically adapt thanks to AI, making it difficult for conventional protection measures to stay up. Because AI can learn and adapt in real time, hackers can design malware that can avoid detection by changing its behavior in response to changing security procedures.
In a report released last year, silicon design automation firm Synopsys discovered that 97 percent of codebases in 2021 contained open source and that open source software (OSS) was present in 100 percent of audited codebases in four of 17 industries studied - computer hardware and chips, cybersecurity, energy, and clean tech, and the Internet of Things (IoT). The other verticals had at least 93 percent open source. It can contribute to increased efficiency, cost savings, and developer productivity.
"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.
However, the increasing use of open-source packages in application development opens the door for threat groups to use the software supply chain as a backdoor to a plethora of targets that rely on it.
Due to the widespread use of OSS packaging in development, many enterprises have no idea what is in their software. With so many different hands involved, it's difficult to know what's going on in the software supply chain. According to a VMware report from last year, concerns about OSS included the need to rely on a community to patch vulnerabilities, as well as the security risks that entails.
Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.
According to Badhwar, 95 percent of all vulnerabilities are found in "transitive dependencies," which are open source code packages that are pulled into projects rather than being chosen by developers.
"This is a huge arena, yet it's been largely overlooked," he warned.
The use of open source software is not a new trend. According to Brian Fox, co-founder and CTO of software supply chain management vendor Sonatype and a member of the OpenSSF (Open Source Security Foundation) governing board, developers have been doing it for a dozen years or more.
According to Fox, developers assemble the source components and add business logic. As a result, open source becomes the software's foundation.
What has changed in recent years is the general awareness of it, not just among well-intentioned developers who are creating software from these disparate parts.
"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."
This was highlighted by the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the company's software system and inserted malicious code. Customers who downloaded and installed the code unknowingly during the update process were then compromised. Similar attacks followed, notably against Kaseya and Log4j.
Obtaining the image using Log4j
According to Fox, the Java-based logging tool is an example of the massive risk consolidation that comes with the widespread use of popular software components.
"It's a simple component way down [in the software] and it was so popular you can basically stipulate it exists in every Java application – and you would be right 99.99 percent of the time," he said. "As an attacker … you're going to focus on those types of things. If you can figure out how to exploit it, it makes it possible to 'spray and pray' across the internet – as opposed to in the '90s, when you had to sit down and figure out how to break each bespoke web application because they all had custom code."
Enterprises have "effectively outsourced 90 percent of your development to people you don't know and can't trust. When I put it that way, it sounds scary, but that's what's been happening for ten years. We're just now grappling with the implications of it."
Log4j also brought to light another issue in the software supply chain, awakening many to how reliant they are on OSS. Despite this, an estimated 29 percent of Log4j downloads are still of the vulnerable versions.
According to Sonatype analysis, the majority of the time a company uses a vulnerable version of any component, a fixed version of the component is available - but they don't use it. This indicates a need for more education. according to Fox. "96 percent of the problem is people keep taking the tainted food off the shelf instead of taking a cleaned-up one."
Concentrating on the repositories
Another OSS-related threat is the injection of malware into package repositories such as GitHub, Python Package Index (PyPI), and NPM. Cybercriminals are using dependency confusion and other techniques to create malicious versions of popular code in order to trick developers into including the code in their software.
They may use an underscore instead of a dash in their code to confuse developers into selecting the incorrect component.
"The challenge with this is that the attack happens as soon as the developer downloads that component and these downloads happen by the tools," Fox said. "It's not like they're literally going to a browser and downloading it like the old days, but they're putting it into their tool and it happens behind the scenes and it might execute this malware.
"The sophistication of the attacks is low and these malware components don't even often pretend to be a legitimate components. They don't compile. They're not going to run the test. All they do is deliver the payload. It's like a smash-and-grab."
Defenses are being strengthened.
Despite the security risks associated with OSS, there are benefits to using it. According to Fox, it is more visible and transparent than commercial software. He cited the response to the Log4j vulnerabilities: the Log4j team produced a fix in a matter of days, which commercial organizations were unlikely to be able to do.
Mike Parkin, the senior technical engineer at Vulcan Cyber, agreed that having more eyes on the code through open source can help mitigate cyber threats, but it also makes it easier for potential attackers.
That said, "historically the tradeoff has usually favored the open source developers," Parkin told The Register.
The SolarWinds attack highlighted the importance of software supply chain security. Building on US President Biden's 2021 Cybersecurity Executive Order, the White House ordered [PDF] federal agencies in September 2022 to follow NIST guidelines when using third-party software, including self-attestation and software bills of materials (SBOMs) by software vendors.
Vendors are working on a variety of initiatives to strengthen the security of the software supply chain. These include the rise of multi-vendor frameworks such as the Open Software Supply Chain Attack Reference, tools such as the Vulnerability Exploitability Exchange (VEX), and other cybersecurity vendor products.
Still, Sonatype's Fox would like to see other steps taken, such as requiring software manufacturers to recall defective software components. They are currently designed to create an SBOM. Fox compared it to car manufacturers only having to provide buyers with a list of vehicle parts, which can then be stuffed into a glove box and forgotten about, with no obligation to recall the vehicle if any of those parts are faulty.
"What we really need is something to basically mandate that they can do a recall, because that implies that they know all the parts and where they ship them and which versions of the applications have which open source dependencies, but it also means they're actually managing it and looking out for that," he said. "That drives you towards that proper behavior."
Fox wishes to concentrate on the actual maintenance of the OSS packages. Governments are moving in that direction, he said, noting that the EU's Cyber Resilience Act mentions the need for recalls, albeit without using the exact words. According to Fox, the Biden administration may be warming up to the idea.
He is also considering component-level firewalls, which work similarly to packet-level firewalls in that they can inspect network traffic and block malicious traffic before an attack can begin. Similarly, a component-level firewall could prevent malicious code from infiltrating the software.
"If you don't even know what's in your software to start with, you probably have no visibility into what's going on with the malware, which is almost a worse problem because it's not just the vulnerability that's latent, waiting for somebody to exploit," he said. "It's causing harm the moment you touch it. Not enough people are really getting their head around that part of the problem either."
The Nexus Firewall, which Fox said was inspired by credit card fraud protection, was built into Sonatype's platform. The firewall recognizes normal behavior and can detect abnormal behavior using artificial intelligence and machine learning techniques. More than 108,000 malicious attack attempts were detected by the firewall in 2022.
"So many organizations don't even know that this is a problem," he said. "It's where the game is happening right now and the attackers are kind of having a field day, unfortunately."
It is necessary to have both SBOM and firewall-like capabilities.
"Yes, you need to know where all those parts are, so when the next Log4j happens, you can remediate it immediately and not have to start triaging thousands of applications," Fox argued. "But that's not going to stop these malicious attacks. You also need to be perfect protecting the factory."