The direct warning of a Russian threat to US infrastructure that CISA, NSA, and the FBI jointly issued earlier this week came after some weeks of work to find and remediate vulnerabilities in the Apache Foundation's vulnerable Log4j open source library. Yesterday US Cyber Command formally attributed the activities of the threat group familiarly known as MuddyWater to Iran's intelligence agencies, specifically to the Ministry of Intelligence and Security (MOIS). Among the tools the group uses are variants of the open-source PowGoop DLL Side-Loader. MuddyWater seems to have been more involved in espionage than sabotage, but its dependence on open-source tools is noteworthy.
Government and industry leaders are meeting today in a White House Open Source Software Security Summit, where they will address the current threats to open-source software and seek ways of reducing risk.
The CyberWire's update on open-source software security may be found here.