Alex Birsan, a Romanian threat researcher, recently made more than $ 130,000 by virtually breaking into IT systems at dozens of major technology companies.
Birsan used a single innovative supply chain attack to attack Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 other companies. In the process, the researcher exposed a major vulnerability and made large sums of money through multiple bug bounties – the fees paid by companies “white hat” hackers who successfully test their online defenses.
How Birsan did it is quite interesting. It involves the manipulation of code in development projects, especially dependencies – some additional code used to run a program successfully. Threatpost notes that the attack would inject malicious code “into commonly used dependency installation tools in developer projects that typically use public repositories from sites such as GitHub. The malicious code then uses these dependencies to distribute malware through the internal applications and systems of a targeted company. “
This is all pretty complicated, but essentially Birsan found that some code packages were inadvertently published internally for large companies in public repositories, such as Github, for a variety of reasons, including “misconfigured internal or cloud-based build servers” and “systemically vulnerable development pipelines”, among other things. Birsan also found that automated build tools, used by companies during development, would sometimes “confuse” this public code with internal code if packages had the same name.
As a result, an attacker could potentially upload ‘malware to open source repositories’ that would then be automatically slipped into a company’s system, said BleepingComputer. These malicious, spoofed code packages could allow a culprit to execute arbitrary code or could be used to add “back doors within the affected project (s) during the build process,” said Birsan. in a recent run-down of how Yelp was affected.
G / O Media can receive a commission
In front of example, Paypal has published a note about Birsan’s discoveries, explaining what had happened in his case:
… some development projects default to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created them and noticed that they were downloaded. If these packages were registered with malicious intent, it is possible that internal development may have included this code. While there are additional controls and controls in the development pipeline, this can have caused significant problems for internal systems. Thanks to the investigator’s report, PayPal was able to mitigate the public registry issue and confirm no evidence of previous malicious activity.
Birsan has called this vulnerability “dependency confusion,” which he said recently blog post, “Has been detected in more than 35 organizations to date in all three programming languages tested. The vast majority of affected businesses fall into the 1000+ employee category, most likely reflecting the higher prevalence of internal library use within larger organizations. ” He clarified it to BleepingComputer that the exploit relates to “vulnerabilities or design flaws in automated build or installation tools [that] can cause public dependencies to be mistaken for internal dependencies with the exact same name. “
When Birsan started using this strategy last year, security company Sonatype started marking the packages he sent as malware, the company recently reported, but Birsan quickly reached out and informed them of his ongoing investigation, explaining that there would be an official disclosure about the vulnerability in 2021.
Birsan’s successful hacks have earned him multiple bug bounties and the gratitude of a number of major tech companies.
“I think it’s important to clarify that every organization targeted by this study has given permission to have security tested, either through public bug bounty programs or through private agreements. Don’t try these kinds of tests without permission, ” Birsan wrote in the blog post.
Birsan, who previously worked as a Python engineer with Bitdefender and has worked as a self-employed IT security consultant for the past three years, further commenting that this kind of vulnerability he discovered could become a much bigger problem in the future.
“I believe finding new and clever ways to leak internal package names will expose even more vulnerable systems, and if you look at alternative programming languages and repositories to deploy, it will reveal an additional attack surface for dependency confusion bugs. come, ” Birsan wrote.