By Ilkka Turunen, Field CTO at Sonatype
Open source underpins modern software development, permeating all businesses and industries. Open source powers our servers, fuels our algorithms, and is the source of innovation that led to modern AI breakthroughs. In that regard, the financial services sector is no different. The challenge of the ubiquity of open source is the inherent risk this presents to institutions — a well-placed security vulnerability on a component adopted by most businesses can cause untold damage.
The expansion of open source software means those working in banks, payments, trading, and other financial institutions are already suffering the risk of reputational damage — they are losing millions and millions to cyberattacks that fundamentally targeted the software supply chain. As the name suggests, open source can be used or contributed by anyone.
The lion’s share of risk is in adopting the technical and security debt of the open source code you download. Most organisations’ digital supply chains consist of hundreds of thousands of individual components, and poor software consumption behaviours account for the largest share of risk. 96% of the time an open source component is downloaded, there’s a newer, safer version available. These poor consumption behaviours expose financial institutions to data loss and have created a new avenue for adversaries to enter — by targeting developers uniquely.
Developers are the new attack frontier
Increasingly, cyberattacks can be attributed to hackers targeting the developer and software development environments directly. For example, the Snowflake attack was executed by distributing malware that targeted developers and production environments and stole login credentials later used to execute the breach.
In February, Kroll found that most cybersecurity breaches happened in healthcare and financial services. These attacks aren’t going away anytime soon, but it’s important to understand the exact extent of the risk being observed. It’s not just about bedroom hackers stealing a bit of currency.
We are dealing with sophisticated, well-financed groups of nation-state-backed threat actors coming for the UK’s critical infrastructure. The latest example is the story of XZ Utils, which demonstrates the level of sophistication being deployed against organisations.
The XZ Utils backdoor
XZ Utils is a file compression utility found in Linux distributions for data compression. Its role as a common utility made it an appetising target for attack. While the identity of the threat actor “Jia Tan” is still unknown, it is widely accepted that they were actually a nation-state actor due to the operation’s sophistication. If their campaign to plant a backdoor into XZ Utils had succeeded, it would have become one of the most devastating software supply chain attacks in history, giving criminals a skeleton key to 90% of the world’s servers.
“Jia Tan” started as a seemingly innocent maintainer on the XZ project in 2021. They approached the original maintainer of the project following a social pressure campaign that involved multiple fake email accounts that put pressure on the maintainer. Their goal was to make out that the sole maintainer of this project wasn’t acting on fixes fast enough. By applying pressure on the maintainer, bad actors manufactured the opportunity to appear as a saviour and create a trusting relationship. Initially, “Jia” gained the maintainer’s trust by contributing useful patches. Once a degree of trust had been established, “Jia” began to suggest and add new features. Over the next two years, the bad actor worked on the project, becoming trusted. All the while though, they added encrypted code and malware hidden in plain sight to create a backdoor.
This master key contained a code to execute an encrypted message across Linux systems and bypass the entire SSH authentication process used to remotely administer the servers. They also began advocating for the XZ project to be adopted by major Linux distributions as a default package. Fortunately, the attempt was uncovered before significant damage could be done. But we must acknowledge that highly sophisticated, well-resourced groups of bad actors are now operating over extended durations. They have the resources and capability to engage for several years, patiently working away and implementing these cyber attacks we seem to be reading about weekly.
Advanced Persistent Threat actors are traditionally associated with nation-state hacking operations against corporations. Yet there is clear evidence that this activity extends to all parts of our digital infrastructure, including open source solutions in the financial services sector. Whenever these attempts are made, copycats often emerge on other projects. Evidence of similar attempts to target other projects has also come to light.
The genie is now out of the lamp and there is no going back. This type of operation will happen again and we must be ready.
How to fight a smokeless fire
Most organisations struggle to get a grip on their software supply chains. They simply consume so many components, often enabled by individual developer choice, that understanding the total width of the attack surface can be tough. Using fewer, higher-quality projects will reduce your vulnerable attack surface, and making better-informed decisions helps minimise risk. Employing a Software Bill of Materials (SBOM) will help you understand the code and components your banking software relies on. The SBOM allows you to monitor any component for new information – and target remediation wherever necessary.
SBOMs and continuous monitoring allow CIOs, CISOs and banking security teams to implement effective quality control measures. They can monitor for any bad packages, software or containers that need to be resolved. Establishing supplier standards for your software supply chain and relying on automation are key tenets of success.
While the open source community strengthens defences upstream to avoid targeted attacks, the downstream organisations consuming it must be ready to move at a moment’s notice when incidents are uncovered. This means patching affected systems immediately. Continuous monitoring is not another tax; it’s a collective responsibility to safeguard the integrity of the software supply chain. Science suggests that building the capability to proactively manage patches also makes development teams more productive as a result.
A sobering call to action for financial services
The recent attacks we read about in the media show how important it is for the financial services sector to manage risks in their open source software. Organisations must keep a close eye on their components, build the capability to patch any issues quickly and implement robust monitoring systems. Continuous monitoring for new vulnerabilities can improve your cybersecurity posture and ensure you’re only operating on the best possible software available at the time.
Financial services must address the root causes of these supply chain attacks, and it starts with looking at your software development.
If you read about compromised open source software online, you’re already too late. Being proactive rather than reactive will help protect your organisation’s digital infrastructure from future attacks and help comply with the Digital Operational Resilience Act (DORA) when it comes into force on 17th January 2025.
For consumers in the financial services sector, the attempted backdoor on XZ Utils serves as a sobering wake-up call of the critical importance of robust risk management practices. By understanding the dependencies your software relies on, you can mitigate the risks posed by future attacks without compromising your customer and employee data.