Alex Birsan, a Romanian threat researcher, recently earned more than $ 130,000 from hacking into IT systems at dozens of major technology companies.
Birsan used a single innovative attack on the supply chain to compromise Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 other companies. In the process, the researcher exposed a great vulnerability and earned large sums through various bug rewards – the fees that companies pay to “white hat” hackers who successfully test their online defenses.
It is very interesting how Birsan did this. It involves manipulating code in development projects, specifically dependencies – certain augmented code used to run a program successfully. Threatpost notes that the attack would inject malicious code “into common tools for installing dependencies on developer projects that typically use public deposits from sites like GitHub. The malicious code then uses these dependencies to propagate malware through a target company’s internal applications and systems. “
This is all very complicated, but essentially, Birsan found that some internal code packages for large companies were being accidentally published in public repositories, such as Github, for a variety of reasons, including “internal or cloud-based build servers. poorly configured “and” systemically vulnerable development pipelines “, among other things. Birsan also found that automated building tools, which are used by companies during development, sometimes it would “confuse” this public code with internal code if the packages had the same name.
As a result, an attacker could potentially upload “malware to open source repositories” that would then be automatically inserted into a company’s system, according to BleepingComputer. These malicious and counterfeit code packages would allow a wrongdoer to execute arbitrary code or could be used to add “backdoors within the affected project (s) during the construction process,” said Birsan inside a recent degradation how Yelp was affected.
G / O Media can receive a commission
For example, Paypal posted a note about Birsan’s findings, explaining what had happened in his case:
… certain standardized development projects for the public record of NPM, instead of using the intended internal packages. As the packages in the public register did not exist, the researcher created them and noted that they were downloaded. If these packages were registered with bad intentions, it is possible that the internal development included this code. Although there are additional checks and controls in the development pipeline, this may have caused significant problems for internal systems. Thanks to the researcher’s report, PayPal was able to mitigate the problem with the public record and has not confirmed any evidence of previous malicious activity.
Birsan called this vulnerability “dependency confusion”, which he said in a recent blog post, “It has been detected in more than 35 organizations to date, in all three programming languages tested. The vast majority of affected companies fall into the category of more than 1,000 employees, which probably reflects the higher prevalence of internal library use in larger organizations. ” He clarified for BleepingComputer that exploitation involves “vulnerabilities or design flaws in automated construction or installation tools [that] can cause public dependencies to be confused with internal dependencies with exactly the same name. “
When Birsan started taking advantage of this strategy last year, security company Sonatype started signaling the packages it was sending as malware, the company recently reported, but Birsan quickly got in touch and notified them of his ongoing research, explaining that an official disclosure about the vulnerability would take place in 2021.
Birsan’s successful hacks have earned him several insect rewards and the gratitude of several large technology companies.
“I feel it is important to make it clear that all organizations targeted during this survey have given permission to have their safety tested, whether through public bug reward programs or private agreements. Do not attempt this type of test without authorization, ” Birsan wrote on blog post.
Birsan, who previously worked as a Python engineer with Bitdefender and he spent the past three years as a standalone IT security consultant, and further noted that the kind of vulnerability he discovered has the potential to become a much bigger problem in the future.
“I believe that finding new and smart ways to leak internal package names will expose even more vulnerable systems, and looking at alternative programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs,” Birsan wrote.