Alex Birsan, a Romanian threat researcher, recently earned more than $ 130,000 by successfully hacking into IT systems at dozens of large technology companies.
Birsan uses a single innovative supply chain attack to Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 other businesses. In the process, the researcher exposed a huge vulnerability and earned large sums through multiple buggies – the fees paid by companies ‘hackers’ who successfully test their online defenses.
How Birsan did it is pretty interesting. It involves the manipulation of code in development projects, specifically dependencies – certain additional code used to execute a program successfully. Threatpost notices that the attack would use malicious code “in common dependencies installation tools in developer projects that typically use public repositories of sites like GitHub. The malicious code then uses these dependencies to spread malware through an enterprise’s internal applications and systems. ‘
It’s all pretty complicated, but in essence, Birsan has discovered that some code packages for large companies are inadvertently published in public repositories, such as Github, for various reasons, including “misconfiguration of internal or cloud-based build servers” and “systematically vulnerable development pipelines.” among others. Birsan also discovered that automated construction tools, used by businesses during development, this public code would sometimes “error” with internal code if packages had the same name.
As a result, an attacker could potentially upload “malware to open source repositories” which would then be automatically slipped into an enterprise’s system. BleepingComputer. These malicious, counterfeit code packages will enable a malicious person to execute arbitrary code or could be used to “insert backdoors within the project (s) involved during the construction process,” Birsan said. in a recent run-off of how Yelp was affected.
G / O Media can get a commission
For example, Paypal has published a note about Birsan’s discoveries and explain what happened in the case:
… certain development projects are not in the public NPM register, instead of using the intended internal packages. Since the packages in the public register do not exist, the researcher created them and noticed that they had been downloaded. If these packages are maliciously crafted, internal development may have included this code. Although there are additional controls and controls in the development pipeline, it can cause significant problems to internal systems. Thanks to the investigator’s report, PayPal was able to mitigate the problem at the public registry and confirm no evidence of previous malicious activity.
Birsan called this vulnerability “dependency confusion”, which he recently said blogpos, ‘Has so far been detected within more than 35 organizations, in all three of the tested programming languages. The vast majority of the companies affected fall into the category of 1000+ employees, which probably reflects the higher prevalence of internal library use in larger organizations. ” He explained to BleepingComputer that the exploitation involves “vulnerabilities or design flaws in automated construction or installation instruments [that] can cause public dependencies to be incorrectly referred to as internal dependencies of exactly the same name. ”
When Birsan started using this strategy last year, security firm Sonatype identified the packages it sent as malware. the company recently reported, but Birsan quickly reached out and informed them of his ongoing research, explaining that an official release on the vulnerability would come in 2021.
Birsan’s successful hacks have earned him several endorsements and the gratitude of a number of major technology companies.
‘I feel it is important to make it clear that every organization targeted during this research has given permission to have its security tested, whether through public bug-bounty programs or private agreements. Please do not try this type of test without authorization, ” Birsan has in the blogpos.
Birsan, what previously worked as A Python engineer with Bitdefender and has spent the past three years as a freelance IT security consultant, further noting that this type of vulnerability has the potential to become a much bigger problem in the future.
“I believe that finding new and smart ways to leak internal package names will expose even more vulnerable systems, and exploring alternative programming languages and repositories to target will reveal an additional attack surface for confusing dependency errors,” Birsan wrote.