A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week targeting Microsoft, Amazon, Slack, Lyft, Zillow and an unknown number of others. In recent weeks, Apple, Microsoft, Tesla and 32 other companies have been the target of a similar attack that allowed a security researcher to execute unauthorized code within their networks.
The latest attack on Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft and Zillow, on the other hand, were malicious, but it’s not clear whether they managed to execute the malware within their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a company that helps customers secure the applications they develop.
“Given the daily number of suspicious npm packages picked up by Sonatype’s automated malware detection systems, we expect this trend to only increase, with malicious actors exploiting dependency confusion to perform even more sinister activities,” Sonatype researcher Ax Sharma previously wrote. this week.
A slick attack
The purpose of these attacks is to execute unauthorized code in a target’s internal software building system. The technique works by uploading malicious packages to public code repositories and naming them identical to a package stored in the target developer’s internal repository.
Developer software management apps often prefer external code libraries over internal ones, so download and use the malicious package rather than the trusted one. Alex Birsan – the researcher who tricked Apple and the other 34 companies into using the proof-of-concept packages he uploaded to npm and PyPi – called the new type of supply chain attack dependency confusion or namespace confusion because it is dependent from software dependencies with misleading names.
Software dependencies are code libraries that an application must have in order to work. Typically, developers monitor the names of dependencies within their software building systems. But Birsan found that the names often leak when package.json files — which contain various metadata relevant to a development project — are embedded in public script files. Internal paths and public scripts containing the requirement() programming call can also leak dependency names.
In the event that the file of the same name is not available in a public repository, hackers can upload a malicious package and give it the same file name and version number higher than the authentic file stored internally. In many cases, developers accidentally use the malicious library or their build application does it automatically.
“It’s a slick attack,” said HD Moore, co-founder and CEO of network discovery platform Rumble. “My guess is it affects a lot of people.” He added that the greatest risk is organizations that use large numbers of internal packages and do not take special measures to prevent public packages from replacing internal packages.
In the weeks since Birsan published his findings, dependency confusion attacks have flourished. Microsoft had already been hit by a proof-of-concept attack that carried out Birsan’s unauthorized package on its network, but recently fell into a second attack, carried out by researchers at Contrast Security.
Shortly thereafter, a script Austin placed in the module began contacting him from various internal Microsoft IP addresses. Austin wrote:
Whether the responses I saw were automated or manual, the fact that I was able to generate this response poses significant risk. Using the script after installation, I was able to run code in any environment where it was installed. If attackers ran code like I did on a build server for a desktop application update that was about to be deployed, they could insert anything they wanted into that update, and that code would go to every desktop with Teams – over 115 million machines . Such an attack could have monumental consequences, potentially affecting as many organizations as the massive attack on the SolarWinds software factory unveiled in December.
He provided the following image that illustrates how a malicious attack might work in this theoretical scenario:
A Microsoft spokeswoman wrote, “As part of our increased efforts to mitigate packet substitution attacks, we quickly identified and addressed the said issue, and at no time did it pose a serious security risk to our customers.” The spokeswoman added that the system running Austin’s code was part of the company’s security testing infrastructure. Microsoft has more about the risks and ways to mitigate them here.
Attacks turn malicious
Like the packages uploaded by Birsan and Austin, the thousands of files flooding npm and PyPi usually contain benign scripts that send the researchers the IP address and other generic details of the computer they’re running on.
But not all uploads have observed such reluctance. On Monday, Sonatype researchers reported files uploaded to npm that attempted to steal password hashes and bash script histories from companies like Amazon, Slack, Lyft and Zillow.
“These activities would take place once a dependency confusion attack succeeds and no victim action is needed given the nature of the dependency/namespace hijacking problem,” wrote Sharma, the researcher at Sonatype.
Bash histories, which store commands and other inputs that administrators type into their computers, often contain plain text passwords and other sensitive data. Files stored in the /etc/shadow path of Linux machines store the cryptographic hashes of passwords needed to access user accounts on the computer. (To compromise hashes, the npm app must be run in super user mode, an extremely elevated set of privileges that are almost never given to software management apps.)
Sonatype said it had no way of knowing whether the files were executed by any of the companies targeted by the scripts.
The targets respond:
In a statement, Slack officials wrote:
The mock library in question is not part of Slack’s product, nor is it maintained or supported by Slack. We have no reason to believe that the malicious software has gone into production. Our security team regularly scans the dependencies used in our product with internal and external tools to prevent these types of attacks. In addition, Slack’s secure development practices, such as using private scope when using private dependencies, make it unlikely that a dependency-related attack on our product would be successful.
A statement from Lyft read: “Lyft was not harmed in this attempt. There is no indication that this malicious software was running on Lyft’s network. Lyft has a dedicated information security program to defend against such supply chain attacks and runs an active bug bounty program to continuously test security controls.”
Zillow officials wrote:
We are aware of the recent security report about a possible attack with counterfeit software packages. After an investigation by our security team, we found no evidence that our systems were compromised or misused by the disclosed technique. Our team also takes a number of actions to monitor and defend future potential attempts to gain unauthorized access to our systems.
In the meantime, representatives of npm wrote: “In this blog post, we have provided guidelines for the best protection against these types of substitution attacks. We are committed to keeping npm safe and continuing to improve the security of the ecosystem.”
Amazon representatives did not respond to an email asking for comment. A PyPi representative did not immediately respond.
The recent hack against network tools provider Solar Winds, which compromised the Texas company’s software building system and used it to distribute malicious updates to 18,000 customers, was a stark reminder of the damage that can result from supply-side attacks. Dependency confusion attacks can do even more damage unless developers take precautions.