Report: Code Responsible for Equifax Breach Downloaded 21 Million Times Last Year

Digital adversaries are increasingly targeting the supply chain for open source software to gain covert access to government and industry networks, according to a recent report.

That said, the number of breaches tied to open source software is falling as organizations get smarter about their IT development practices, security researchers found.

The popularity of open source software has skyrocketed in recent years as developers are expected to churn out more fresh tech in less time. In its fifth annual State of the Software Supply Chain report, researchers at Sonatype said the number of weekly downloads of the popular open source software package Java nearly tripled in 2018, from 3.5 billion to 10 billion.

But as virtually every organization comes to rely on crowdsourced code to run their tech, they also face more potential cybersecurity risks. Many open source components contain vulnerabilities, and if groups aren’t careful they could unknowingly install compromised software.

More than 10 percent of the individual Java components roughly half of the JavaScript packages developers downloaded last year contained known vulnerabilities, but many organizations are unaware about the potential risks, researchers said in the report. They found compromised Apache Struts software, which was the epicenter of the massive 2017 Equifax breach, was downloaded more than 21 million times between January and November 2018, even though the bug was announced in March 2017.

If compromised software is installed in an organization’s IT, they can mitigate the risks by frequently installing patches, but that’s something many government agencies struggle to do.

Despite the potential risks, researchers found the total number of breaches stemming from open source software is on the decline. Roughly a quarter of respondents to a 2019 Sonatype survey said their organization experienced a breach related to open source software, down from 31 percent in 2018.

Researchers attributed the drop to “improved open source hygiene and investments made by some organizations following the Equifax breach.”

But as government and industry improve their cyber hygiene, there’s a new threat emerging in the open source software world that will make locking down the software supply chain even more critical.

Over the past two years, Sonatype researchers have also seen an uptick in so-called “malicious code injections,” a sophisticated type of cyberattack that uses the popularity of open source software to co-opt organizations’ networks. While traditional attacks take advantage of software vulnerabilities that have been made public, this new variety exploits bugs known only to the hackers themselves. As a result, bad actors can fly under the radar until the vulnerability is discovered and patch.

“[It]’s kind of the equivalent of the person inside the Tylenol factory injecting cyanide into the tablets,” Sonatype Vice President Derek Weeks told Nextgov in a conversation last month. “From an adversary’s standpoint, it’s incredibly efficient.”

However, government officials are pushing for new strategies to lock down the federal software supply chain, which could help defend against malicious code injections and other types of open source attacks. 

One of the most promising strategies is requiring developers to provide a “software bill of materials,” or SBoM, which lists the various components that underlie a particular system. Using the document, agencies quickly locate and patch vulnerabilities in their systems. 

Last year, the National Telecommunications and Information Administration launched a program exploring the effectiveness of SBoMs, and the Food and Drug Administration is turning to SBoMs to help secure medical devices. The Homeland Security Department already requires vendors to submit SBoMs for every tool offered under the Continuous Diagnostics and Mitigation program.