Researcher hacks Microsoft, Apple, more in novel supply chain attack

[mood]

Researcher hacks Microsoft, Apple, more in novel supply chain attack

 

 

A researcher managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel software supply chain attack.

 

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company's internal applications.

 

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

 

This is because the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion.

 

For his ethical research efforts, the researcher has earned well over $130,000 in bug bounties.

Malware is distributed downstream automatically

Last year, security researcher Alex Birsan came across an idea when working with another researcher Justin Gardner.

 

Gardner had shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.

 

 

Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal's privately created npm packages, used and stored internally by the company.

 

On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?

 

To test this hypothesis, Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.

 

The researcher then started creating counterfeit projects using the same names on open-source repositories such as npm, PyPI, and RubyGems.

 

Every package published by Birsan was done so under his real account and clearly had a disclaimer in place, stating "This package is meant for security research purposes and does not contain any useful code."

 

 

Birsan soon realized, should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead -- without needing any action from the developer.

 

In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.

 

Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.

"I believe dependency confusion is quite different from typosquatting or brandjacking, as it does not necessarily require any sort of manual input from the victim."

"Rather, vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name," Birsan told BleepingComputer in an email interview.

Recon and data exfiltration over DNS

The packages had preinstall scripts that automatically launched a script to exfiltrate identifying information from the machine as soon as the build process pulled the packages in.

 

Knowing that his scripts would be making connections from corporate networks, Birsan decided to use DNS to exfiltrate the data to bypass detection.

"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," says Birsan in his blog post.

 

DNS used for recon and data exfiltration

Source: Birsan

 

A snippet of the code shown below is from the squatted npm package "analytics-paypal" which is now removed from npm. However, as a security researcher at Sonatype, I was able to retrieve it from our automated malware detection archives.

 

This script would launch automatically as soon as the "analytics-paypal" dependency would get pulled and has code to make DNS requests to dns.alexbirsan-hacks-paypal.com.

 

The callback received from PayPal’s systems would have then alerted the researcher that the IP making the request belonged to PayPal, along with the username and the home directory of the infected system.

 

PoC packages exfiltrated data

Source: BleepingComputer

 

On receiving such callbacks and sufficiently verifying that the researcher’s counterfeit component had successfully infiltrated the corporate network, Birsan would then report his findings to the appropriate company and earn a bug bounty.

Earned over $130,000 in bounties

Overall, the researcher managed to earn over $130,000 in rewards through bug bounty programs and pre-approved penetration testing arrangements.

"I feel that it is important to make it clear that every single organization targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorization," warns Birsan.

 

For Birsan's disclosure, Microsoft has awarded him their highest bug bounty amount of $40,000 and released a white paper on this security issue. They identify this issue as CVE-2021-24105 for their Azure Artifactory product. 

However, Microsoft told Birsan in an email that they consider this a design flaw in package managers.

 

"While we are treating this as a severe security issue, it ultimately has to be fixed by reconfiguring installation tools and workflows, and not by correcting anything in the package repositories themselves."

"To address this issue, Microsoft has made minor improvements to Azure Artifacts to ensure it can be used as a reliable workaround."

"That said, we consider the root cause of this issue to be a design flaw (rather than a bug) in package managers that can be addressed only through reconfiguration," a Microsoft spokesperson said in the email.

 

In a statement to BleepingComputer, Yelp confirmed the researcher's report and rewarded him after patching the issue within a day. 

 

"Through Yelp’s bug-bounty program, Alex Birsan helped us identify a vulnerability, which we immediately patched within a day."

"We are committed to working with security experts to stay up to date with the latest security techniques, and rely on our bug-bounty program to reward skilled security researchers that help improve Yelp’s systems and services," a Yelp spokesperson told BleepingComputer.

 

Apple has told BlepingComputer that Birsan will get a reward via the Apple Security Bounty program for responsibly disclosing this issue.

 

However, the researcher's ethical research efforts have not been embraced by everyone. 

"I think this [is] probably reason enough to not have these projects on PyPI," argued Dustin Ingram, Directory of Python Software Foundation and a Google developer advocate, who investigated and took some of Birsan's packages down from PyPI.

 

After spending an hour on taking down these packages, Ingram stressed that uploading illicit packages on PyPI puts an undue burden on the volunteers who maintain PyPI.

"Ultimately if you are interested in protecting users from this kind of attack, there are better ways to do it that protect the entire ecosystem, not just a specific set of organizations with bug bounties," Ingram further added, having dealt with these packages for about an hour.

Attacks expected to grow, a hard problem to fix 

Through this research spanning major organizations, Birsan says he has already made the prominent tech companies aware of this type of attack who have now implemented some kind of mitigation across their infrastructure. However, the researcher believes there is more to discover. 

 

The possibility remains for such attacks to resurface and grow, especially on open-source platforms with no easy solution for dependency confusion.

"Specifically, I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," the researcher concluded in his blog post.

 

Sonatype has released a script on GitHub that Nexus Repository Manager users can run to check if any of their private dependencies are named after existing packages present in the public npm, RubyGems, and PyPI repos. Companies of other artifact repository managers can adopt identical implementations.

 

BleepingComputer has reached out to the companies named in this report well in advance, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla, and Uber. We have published the statements from companies that responded before press time.

 

 

Source: Researcher hacks Microsoft, Apple, more in novel supply chain attack

[aum]

 

In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution.

 

The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources.

 

These external package dependencies, which are fetched from public repositories during a build process, can pose an attack opportunity when an adversary uploads a higher version of a private module to the public feed, causing a client to automatically download the bogus "latest" version without requiring any action from the developer.

 

"From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," security researcher Alex Birsan detailed in a write-up.

 

Birsan has been collectively awarded over $130,000 in bug bounties for his efforts.

 

 

To carry out the attack, Birsan began by collecting names of private internal packages used by major companies off GitHub, posts on various internet forums, and JavaScript files that list a project's dependencies, and then uploaded rogue libraries using those same names to open-source package hosting services such as npm, PyPI, and RubyGems.

 

"[Shopify's] build system automatically installed a Ruby gem named 'shopify-cloud' only a few hours after I had uploaded it, and then tried to run the code inside it," Birsan noted, adding a Node package that he uploaded to npm in August 2020 was executed on multiple machines inside Apple's network, affecting projects related to the company's Apple ID authentication system.

 

Birsan ultimately used the counterfeit packages to obtain a record of every machine where the packages were installed and exfiltrated the details over DNS for the reason that the "traffic would be less likely to be blocked or detected on the way out."

 

The concern that a package with the higher version would be pulled by the app-building process regardless of wherever it's located hasn't escaped Microsoft's notice, which released a new white paper on Tuesday outlining three ways to mitigating risks when using private package feeds.

Chief among its recommendations are as follows —

• Reference one private feed, not multiple
• Protect private packages using controlled scopes, namespaces, or prefixes, and
• Utilize client-side verification features such as version pinning and integrity verification

Source

[Karlston]

Similar topics merged.

[aum]

Credit: Pixabay/CC0 Public Domain

 

A Romanian threat researcher detailed in a published report Wednesday how he broke into IT systems belonging to some of the largest corporations in the world. His assaults successfully targeted Apple, Microsoft, Tesla, PayPal, Netflix and more than 30 other corporations.

 

Alex Birsan advised the companies in advance that he would be testing the security of their systems, but did not provide them with details beforehand.

 

Birsan accomplished the tasks by launching a relatively simple attack mode: He replaced private code packages routinely activated by servers with public code packages. When searching for a code package, automated systems used by companies tap into public repositories. If a Javascript, Ruby or Python module is required to execute a particular function, company servers will automatically swap a public module for its own in-house one if it detects an identically named package it believes is a newer version.

 

His exploit, Birsan told BleepingComputer, exposed "vulnerabilities or design flaws in automated build or installation tools [that] may cause public dependencies to be mistaken for internal dependencies with the exact same name."

 

Birsan took advantage of this vulnerability by injecting code into packages stored in public repositories such as GitHub. He termed the intentional duplication of names and subsequent swapping of files 'dependency confusion.'

 

He first had to determine the names companies used for the code files so he could create counterfeit files with the same names, but he found that task to be relatively easy. Shopify, for instance, automatically installed a forged file from Birsan that he correctly guessed was "Shopify-cloud."

 

"The success rate was simply astonishing," Birsan said an online assessment of his exploits Wednesday.

"We were able to automatically scan millions of domains belonging to the targeted companies and extract hundreds of additional javascript package names which had not yet been claimed on the npm registry," Birsan said.

 

Such planted by a malicious actor could wreak havoc throughout a company's network, disrupt operations, steal data or attempt to extort money.

 

Birsan's code was not malicious; he retrieved only basic information about each computer his code impacted including username, hostname and current path of each unique installation. The program notified Birsan when his code was activated by target companies.

 

"Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports," Birsan said, "while avoiding having my testing be mistaken for an actual attack."

 

In return Birsan collected 'bug bounty' cash that companies pay out to researchers who uncover vulnerabilities. The total from several companies that paid him topped $130,000.

 

Birsan came up with the idea when a colleague, Justin Gardner, examined an internal JavaScript package managing file and wondered what would happen if an identically named file were placed in a public repository. They soon discovered that whichever file had the most recent build number would be tapped by the company's server.

 

Most of the affected companies were able to quickly patch their systems following notification of the breach.

 

But Birsan says he believes that dependency confusion on open-source platforms remains a problem.

 

"Specifically, I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," he said.

 

Source