A vulnerability, which ethical hacker Alex Birsan calls ‘dependency confusion’, has rendered defenses of top tech companies useless and powerless. Birsan demonstrated a novel supply-chain attack that breached the systems of more than 35 technology companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, and Uber.
Tech giants and leading internet companies had their internal systems breached as part of a ‘proof of concept’ attack. The attack relied on the fact that the majority of companies often pull in open-source software from public repositories.
An ethical hacker successfully ‘hacks’ tech companies using open-source tools injected with malicious code:
Security researcher Alex Birsan devised an ingenious and effective attack to breach the digital perimeters of leading tech companies. The attack primarily injects malicious code into common tools for installing dependencies in developer projects which typically use public depositories.
Needless to add, common and popular sites like GitHub are a hotbed for millions of small but effective open-source tools. Developers routinely tap into such depositories to grab the dependencies and use them within their projects.
Researcher Hacks Apple and Microsoft: Novel supply chain attack allows researcher to hack internal systems of major companies https://t.co/pGiRlusLtQ pic.twitter.com/q1u1dIWUJ2
— Shah Sheikh (@shah_sheikh) February 10, 2021
The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems. The malware then quietly and automatically made its way downstream, into the target’s internal and sensitive applications.
The attack is concerning because it does not need any action by the victim. In other words, the laced packages made their way into secured networks with no active user intervention.
Traditional attacks need a weak point, which attackers typically exploit with carefully compiled social engineering attacks. In order to deliver the malicious code, attackers need victims to accept a similar-looking and sounding package.
Dependency Confusion attacks a wake-up call for all tech and internet companies:
The ethical hacker has indicated that he had prior arrangements with targeted organizations, who all agreed to be tested. Apparently, Birsan has received more than $130,000 in both bug bounties and pre-approved financial arrangements. Interestingly, PayPal, as well as Apple and Canada’s Shopify, each contributed $30,000.
The ethical hacker reveals that he merely exploited the exceptional trust developers put in a “simple command.” Developers routinely use “pip install package_name,” with programming languages such as Python, Node, Ruby, and others.
Great writeup by @alxbrsn on his madly successful bug bounty research project that got his code into dozens of major corps including Microsoft, Apple and Shopify via a software supply chain hack. Props! https://t.co/bQPCq3z8dn #supplychain
— Bengt_Gregory-Brown (@BengtGB) February 10, 2021
This command installs dependencies, or blocks of code shared between projects. However, these installers are usually tied to public code repositories. Needless to add, these repositories are open to all. In other words, anyone can freely upload code packages for others to use.
The ethical hacker attempted to answer a simple question: “Can this blind trust be exploited by malicious actors?”. And he received a deeply concerning answer.
A researcher managed to breach over 35 major companies' internal systems, including #Microsoft, #Apple, #PayPal, #Shopify, #Netflix, #Yelp, #Tesla, and #Uber, in a novel software supply chain attack. #Security #Hack https://t.co/zPtogQxgRE
— Arun Subramanian (@arunsub) February 10, 2021
Once the laced packages on publicly modifiable repositories found their way inside secure networks, it was relatively easy to exfiltrate sensitive information.
Secure networks heavily guard entry points. But data usually moves with minimal oversight on its way out. Using DNS routing for data exfiltration, Birsan was able to get catalog and obtain data from inside well-protected corporate networks.
It is concerning to note that the ethical hacker found multiple private packages on public repositories. Needless to add, a determined malicious code writer could easily conduct a similar search and cast a very wide net.