One researcher managed to breach the internal systems of more than 35 large companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber, in a new attack on the software supply chain.
The attack consisted of sending malware to open source repositories, including PyPI, npm and RubyGems, which were then automatically distributed to the company’s internal applications.
Unlike traditional typosquatting attacks that rely on social engineering tactics or that the victim misspells the name of a package, this specific attack on the supply chain is more sophisticated because it did not require action by the victim, who automatically received the packages malicious.
This is because the attack leveraged a design flaw unique to open source ecosystems called dependency confusion.
For his ethical research efforts, the researcher earned more than $ 130,000 in insect rewards.
Malware is automatically distributed downstream
Last year, security researcher Alex Birsan I had an idea when working with another researcher Justin Gardner.
Gardner shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.
Source: Birsan
Birsan realized that some of the manifest file packages were not present in the public npm repository, but instead were npm packages created privately by PayPal, used and stored internally by the company.
Seeing this, the researcher asked himself, should there be a package with the same name in the public npm repository, in addition to a private NodeJS repository, which one would have priority?
To test this hypothesis, Birsan started looking for private internal package names that he could find in manifest files in GitHub repositories or on CDNs of major companies, but did not exist in a public open source repository.
The researcher then started creating counterfeit projects using the same names in open source repositories, such as npm, PyPI and RubyGems.
Each package published by Birsan was made under his real account and clearly had a disclaimer, stating “This package is intended for security research purposes and does not contain any useful code.”
Source: BleepingComputer
Birsan soon realized, if a dependency package used by an application exists both in a public open source repository and in its private build, the public package would take priority and be removed – without the need for any action by the developer.
In some cases, as with PyPI packages, the researcher realized that the package with the higher version would be prioritized regardless of where it was located.
Using this technique, Birsan carried out a successful attack on the supply chain against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp and Uber simply by publishing public packages using the same name as the company’s insiders.
“I believe the confusion of addiction is quite different from typosquatting or brandjacking, as it does not necessarily require any type of manual input from the victim.”
“Instead, vulnerabilities or design flaws in automated construction or installation tools can cause public facilities to be confused with internal facilities with exactly the same name,” Birsan told BleepingComputer in an email interview.
Recon and exfiltration of data over DNS
The packages had pre-install scripts that automatically start a script to extract machine identification information as soon as the build process pulls packages.
Knowing that his scripts would be making connections from corporate networks, Birsan decided to use DNS to exfiltrate the data to bypass detection.
“Knowing that most of the possible targets would be within well-protected corporate networks, I considered DNS exfiltration to be the way to go,” said Birsan on his blog.
Source: Birsan
A code snippet shown below is from the npm “analytics-paypal” package that has now been removed from npm. However, as a security researcher at Sonatype, I was able to recover it from our automated malware detection files.
This script would start automatically as soon as the “analytics-paypal” dependency was pulled and had code to make DNS requests for dns.alexbirsan-hacks-paypal.com.
The callback received from PayPal’s systems would have alerted the researcher that the IP making the request belonged to PayPal, along with the username and home directory of the infected system.
Source: BleepingComputer
Upon receiving such callbacks and sufficiently checking whether the researcher’s counterfeit component had successfully infiltrated the corporate network, Birsan would report his findings to the appropriate company and earn a bug reward.
Earned more than $ 130,000 in rewards
Overall, the researcher was able to earn more than $ 130,000 in rewards through pre-approved insect reward programs and penetration testing arrangements.
“I feel it is important to make it clear that all organizations targeted during this survey have given permission to test their security, whether through public bug reward programs or private agreements. Don’t try this type of testing without authorization,” warns Birsan.
For Birsan’s disclosure, Microsoft awarded him the biggest bug reward of $ 40,000 and released a white paper on this security issue. They identify this issue as CVE-2021-24105 for their Azure Artifactory product.
However, Microsoft told Birsan in an email that they consider this to be a design flaw in package managers.
“Although we are treating this as a serious security issue, it must be fixed by reconfiguring the installation tools and workflows, and not fixing anything in the package repositories themselves.”
“To address this issue, Microsoft has made minor improvements to Azure artifacts to ensure that it can be used as a reliable workaround.”
“That said, we consider the root cause of this problem to be a design flaw (rather than a bug) in package managers that can only be resolved through reconfiguration,” said a Microsoft spokesman in the email.
In a statement to BleepingComputer, Yelp confirmed the researcher’s report and rewarded him after correcting the problem in one day.
“Through Yelp’s bug bounty program, Alex Birsan helped us identify a vulnerability, which we fixed immediately in one day.”
“We are committed to working with security experts to stay up to date with the latest security techniques, and we rely on our bug reward program to reward qualified security researchers who help improve Yelp systems and services,” said a port from Yelp to BleepingComputer.
Apple told BleepingComputer that Birsan will receive a reward through the Apple Security Bounty program for responsible disclosure of this issue.
Whereas PayPal has now publicly released Birsan’s HackerOne report mentioning the $ 30,000 reward amount.
However, the researcher’s ethical research efforts were not adopted by everyone.
“I think this [is] probably reason enough not to have these projects on PyPI, “argued Dustin Ingram, Directory of Python Software Foundation and Google developer advocate, who investigated and removed some of Birsan’s PyPI packages.
After spending an hour removing these packages, Ingram emphasized that uploading illegal packages to PyPI puts a strain on the volunteers who maintain PyPI.
“Ultimately, if you are interested in protecting users from this type of attack, there are better ways to do this to protect the entire ecosystem, not just a specific set of organizations with bug rewards,” added Ingram, having dealt with these packages for about an hour.
Attacks must grow, a problem difficult to solve
Through this research that covers large organizations, Birsan says he has already alerted prominent technology companies about this type of attack, which have now implemented some kind of mitigation in their infrastructure. However, the researcher believes that there is still more to discover.
There remains the possibility that such attacks will resurface and grow, especially on open source platforms without an easy solution to the confusion of dependencies.
“Specifically, I believe that finding new and smart ways to leak internal package names will expose even more vulnerable systems, and looking at alternative programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs,” concluded the researcher. in your blog post.
Sonatype has released a script on GitHub that Nexus Repository Manager users can run to check if any of their private dependencies are named after existing packages present in the public npm, RubyGems and PyPI repositories. Companies from other artifact repository managers can adopt identical implementations.
BleepingComputer contacted the companies named in this report well in advance, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla and Uber. We publish statements from companies that responded before publication time.
February 10, 2021 update at 4:30 pm Eastern Time: Links added to HackerOne reports for PayPal, released by Yelp after press time.