Open-source software is vital to the tech industry. The bad actors haven't overlooked that.
Open-source software and threats to critical infrastructure.
The direct warning of a Russian threat to US infrastructure that CISA, NSA, and the FBI jointly issued earlier this week came after some weeks of work to find and remediate vulnerabilities in the Apache Foundation's vulnerable Log4j open source library. Yesterday US Cyber Command formally attributed the activities of the threat group familiarly known as MuddyWater to Iran's intelligence agencies, specifically to the Ministry of Intelligence and Security (MOIS). Among the tools the group uses are variants of the open-source PowGoop DLL Side-Loader. MuddyWater seems to have been more involved in espionage than sabotage, but its dependence on open-source tools is noteworthy.
White House Open Source Software Security Summit meets today.
Senior representatives of tech companies and US Government agencies are meeting today to discuss ways of addressing the open-source security issues that have gained prominence during the prolonged search for and remediation of Log4j vulnerabilities. CyberScoop reports the list of attendees:
"The full tech participant list includes Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMware.
"Feds attending include representatives from the departments of Commerce, Defense, Energy and Homeland Security, as well as agencies like the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Director and the Office of Science and Technology Policy."
Log4j is a single case of a more widespread challenge. We saw Tuesday that the Apache Software Foundation intended to argue that downstream users of open source software should play a larger role securing the supply chain on which so many of their products depend. Kent Walker, President, Global Affairs & Chief Legal Officer Google and Alphabet, this morning commended the Administration's decision to convene the meeting:
"Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step towards addressing it."
Claroty's blog yesterday outlined hopes for the summit:
"Many open source projects are under-resourced and poorly funded; these challenges often don’t come to light unless a critical vulnerability surfaces. Heartbleed, the crypto vulnerability found in 2014 in OpenSSL, shone a harsh light on the lack of resources keeping OpenSSL afloat, despite the fact the software lived everywhere from commercial software, to smartphones, to industrial devices. There was a skeleton crew maintaining OpenSSL at the time, woefully behind on updates, yet faithful to keeping the project on track. Heartbleed put a lot of businesses at risk and reactively, the industry was forced to create groups to audit the code base and funnel money and development resources to the project.
"Tomorrow’s White House meeting is a concrete step the Biden administration is taking toward proactively assessing the risks posed by open source software."
Industry observations on why open-source code matters to critical infrastructure.
Several industry sources began by pointing out that "critical infrastructure" isn't merely an homage to a fashionable buzzword or a set of agency equities, but that the designation of some system as "critical" represents the end result of serious reflection on risk. Tim Erlin, VP of Strategy at Tripwire put it this way:
“It’s important to remind ourselves that critical infrastructure is more than just a phrase. It describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.
"This alert not only contains information about the threat, but real, actionable information that organizations can use to defend themselves. The use of the MITRE ATT&CK framework to identify the malicious activity, and to map to valid mitigation actions is highly valuable.
"This alert is focused on a specific set of threats and actions to identify and respond to those threats. Organizations should also review their preventive controls against the tools and techniques described in this alert. Identifying the attack in progress is important, but preventing the attack from being successful at all is better.”
Erich Kron, security awareness advocate at KnowBe4, thinks it important to understand that the risk of attacks on critical infrastructure rises with international tensions:
“Targeting critical infrastructure is nothing new, however, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords.
"To strengthen organizations against these attacks, it is critical that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and to educate them on good password hygiene. In addition, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in avoiding the initial network intrusion.”
Mark Carrigan, Cyber Vice President, Process Safety and OT Cybersecurity at Hexagon PPM, is betting on form and is happy to name names. He thinks the GRU outfit that's been active against power grids (Western cognomen "Energetic Bear") is likely to be heard from again:
"The political leverage that can be gained from infiltrating critical infrastructure is enormous. The fingerprints of Energetic Bear, the Russian organization behind past attacks on critical infrastructure, are visible in these recent activities. The highly-sophisticated threats from state-sponsored actors aren’t going away and companies large and small are in the cross-hairs. For OT/ICS security managers, 2022 should be the year of resilience. We know it’s not if but when you will be attacked as history has proven. The most important foundational element of resilience is ensuring you have a trusted restore point that includes “configuration settings for common devices and critical OT equipment.”
Eric Byres, CTO at aDolus Technology Inc., wants to remind infrastructure operators not to overlook validating and authenticating patches before you apply them.
"This CISA alert certainly has general advice on best practices to reduce cybersecurity risk, but it missed a critical point in the Vulnerability and Configuration Management section. CISA says to update software and use a centralized patch management system, but they fail to mention the critical importance of validation or authentication before installing those patches. There is no point updating a vulnerability with a malware-infested, counterfeit patch. Operators of critical infrastructure need to verify that the patch they’ve got in hand is safe to install and did indeed come from their vendor (and not a Russian agency)."
Ron Brash, VP of Technical Research at aDolus Technology Inc., added a recommendation of resources that organizations trying to cope with patches and updates:
"To assist with the triaging and prioritization of patches, asset owners should be using resources like SBOMs and VEX documents— these types of documents help vendors share with their customers what vulnerabilities are present and actually exploitable (because most of them aren’t). aDolus worked with several major ICS vendors to produce the first real-world VEX documents in response to the Log4j vulnerability. This kind of effort highlights the advantage of intelligent vulnerability response vs. blanket knee-jerk patch everything statements."
And updates on Russian talks with NATO and the US over threats to Ukraine.
POLITICO reports that talks between Russian and NATO officials yesterday ended in a "standoff." NATO Secretary-General Jens Stoltenberg offered a glum assessment: “There is a real risk of a new armed conflict in Europe. We are clear-eyed. So we also conveyed a message to Russia that if they use military force there will be severe consequences; economic sanctions; political sanctions.”
Senior Russian officials, according to Newsweek, blame the US for deteriorating relations. Vyacheslav Volodin, Speaker of the Duma's lower house, complained that Washington was acting like "an elephant in a china shop," carelessly destroying the structures that had been carefully built up in Europe after World War Two to preclude another such conflict. (As if NATO had been a construct negotiated with the Soviet Union, and not an alliance designed to keep the Soviets from engulfing more of Europe than they already had.)