A researcher has succeeded in breaking the internal systems of more than 35 large companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber, in a new attack on the software chain.
The attack consists of uploading malware to open source repositories, including PyPI, npm and RubyGems, which are then automatically distributed downstream in the enterprise’s internal applications.
Unlike traditional attacks with typosquatting that depends on social engineering or if the victim misspells a package name, this attack in the supply chain is more sophisticated because the victim, who automatically received the malicious packages, did not need any action.
This is because the attack took advantage of a unique design flaw in the open source ecosystems dependency confusion.
For his ethical research efforts, the researcher earned more than $ 130,000 from bugs.
Malware is automatically distributed downstream
Last year, safety researcher Alex Birsan came up with an idea when I was working with another researcher Justin Gardner.
Gardner shared a manifesto with Birsan, package.json, from an npm package used internally by PayPal.
Source: Birsan
Birsan noted that some of the manifest file packages were not in the public npm repository, but rather PayPal’s privately made npm packages used and stored internally by the company.
When he saw this, the researcher asked if there should be a package with the same name in the public npm repository, in addition to a private NodeJS repository, which one would take precedence?
To test this hypothesis, Birsan began looking for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies, but did not exist in a public open source repository.
The researcher then started creating counterfeit projects with the same names on open source repositories such as npm, PyPI and RubyGems.
Every package published by Birsan was done under his own account and clearly had an indemnity, with the caption “This package is intended for security research purposes and does not contain any useful code.”
Source: BleepingComputer
Birsan soon realizes that if an dependency package used by an application exists in a public open source repository and in your private building, the public package will be preferred and pulled instead – without the developer acting has.
In some cases, such as with PyPI packages, the researcher noted that the package with the higher version will be prioritized, no matter where it is located.
Using this technique, Birsan launches a successful attack chain attack on Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp and Uber by publishing public packages with the same name as the company’s internal packages.
“I believe the dependency confusion is completely different from the typosquatting or firejacking, as it does not necessarily require any kind of manual input from the victim.”
“Instead, vulnerabilities or design flaws in automated building or installation tools can cause public dependencies to be mistaken for internal dependencies of exactly the same name,” Birsan said in an email interview with BleepingComputer.
Reconstruct and data filtering across DNA
The packages have pre-install scripts that automatically launched a script to filter the identifying information from the machine as soon as the build process retracted the packages.
Knowing that his scripts would make connections from corporate networks, Birsan decided to use DNA to filter the data to bypass the detection.
“Because I knew that most of the potential targets would be deep within well-protected corporate networks, I thought DNA filtering would be the right way,” Birsan said in his blog post.
Source: Birsan
A snippet of the code below comes from the squashed npm package “analytics-paypal” now removed from npm. However, as a Sonatype security researcher, I was able to retrieve it from our automated malware detection archives.
This script will be launched automatically as soon as the analytics paypal dependency is removed and contains code to which DNA requests can be directed. dns.alexbirsan-hacks-paypal.com.
The callback from PayPal’s systems would have pointed out to the researcher that the IP directing the request belongs to PayPal, along with the username and home directory of the infected system.
Source: BleepingComputer
After receiving such calls and sufficient verification that the counterfeit component of the researcher has successfully infiltrated the corporate network, Birsan will then report his findings to the company concerned and receive an error.
Earn over $ 130,000 in premiums
Overall, the researcher managed to earn more than $ 130,000 in rewards through bugbounty programs and pre-approved penetration testing arrangements.
“I feel it’s important to make it clear that every organization targeted during this research has given permission to have its security tested, either through public bug programs or through private agreements. Please do not do this type of test without do not try permission, “warns Birsan.
For announcing Birsan, Microsoft awarded him the highest amount of $ 40,000 and issued a white paper on this security issue. They identify this issue as CVE-2021-24105 for their Azure Artifactory product.
However, Microsoft emailed Birsan that they considered it a design flaw in package managers.
“Although we consider it a serious security issue, it should ultimately be corrected by reconfiguring installation tools and workflows, and not by fixing something in the package repositories themselves.”
“To address this issue, Microsoft has made minor improvements to Azure Artifacts to ensure that it can be used as a trusted solution.”
“That said, we see the cause of this issue as a design bug (rather than an error) in package drivers that can only be addressed through reconfiguration,” a Microsoft spokesman said in the email.
In a statement to BleepingComputer, Yelp confirmed the researcher’s report and rewarded him after fixing the problem within a day.
“Through Yelp’s bug-bounty program, Alex Birsan helped us identify a vulnerability, which we immediately patched up within a day.”
“We are committed to working with security experts to stay abreast of the latest security techniques, and rely on our bug-bounty program to reward skilled security researchers who help improve Yelp’s systems and services,” a spokesman said. from Yelp to BleepingComputer.
Apple has told BleepingComputer that Birsan will receive a reward via the Apple Security Bounty program for disclosing this issue.
While PayPal has now released Birsan’s HackerOne report citing the $ 30,000 amount.
However, the researcher’s ethical research efforts were not accepted by everyone.
‘I think so [is] probably enough reason not to have these projects on PyPI, ”said Dustin Ingram, guide of the Python Software Foundation and a lawyer for Google, developer, who researched and took down some of Birsan’s packages from PyPI.
After an hour of taking down these packages, Ingram stressed that uploading illegal packages on PyPI puts an unnecessary burden on the volunteers who maintain PyPI.
“Finally, if you are interested in protecting users from these types of attacks, there are better ways to do it that protect the entire ecosystem, not just a specific group of organizations with bugs,” Ingram added after handling these packages. has for about an hour.
Attacks are expected to grow, a difficult problem to solve
Through this research that spans large organizations, Birsan says he has already made prominent technology companies aware of these kinds of attacks that have now applied a kind of mitigation over their infrastructure. However, the researcher believes that there is more to discover.
The possibility is that such attacks reappear and grow, especially on open source platforms without easy solution to dependency confusion.
“I specifically believe that finding new and smart ways to leak internal package names will expose even more vulnerable systems, and exploring alternative programming languages and repositories to target will reveal an additional attack surface for dependency confusion,” the researcher in his blog post.
Sonatype has released a script on GitHub that users of Nexus Repository Manager can use to see if any of their private dependencies are named after existing packages found in public npm, RubyGems, and PyPI repos. Companies from other artifact managers can use identical implementations.
BleepingComputer made early contact with the companies mentioned in this report, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla and Uber. We published the statements of companies that responded before press time.
Update February 10, 2021 16:30 ET: links added to HackerOne reports for PayPal, Yelp announced after press time.