Alex Birsan, a Romanian researcher on threats, recently earned more than $ 130,000 by virtuously breaking into IT systems at dozens of major technology companies.
Birsan used a single innovative attack on the supply chain to engage Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 more companies. During the process, the researcher exposed a major vulnerability and obtained large sums through multiple error rewards: companies pay “white hat” hackers to test their defenses online.
How Birsan did it is pretty interesting. It involves the manipulation of code in development projects, specifically dependencies, certain augmentative code that is used to successfully run a program. Threatpost points this out the attack would inject “malicious code” into common tools to install dependencies on developer projects that typically use public repositories from sites like GitHub. The malicious code then uses those dependencies to propagate malware through internal applications and systems. ‘a specific company’.
All of this is quite complicated, but basically Birsan discovered that some large enterprise internal code packages were being inadvertently published on public repositories, such as Github, for various reasons, including “internal or server-based compilation servers. poorly configured cloud ”and“ systematically vulnerable development pipelines, ”among other things. Birsan also found that automated construction tools, which are used by companies during development, sometimes I would “confuse” this public code with the internal code if the packages had the same name.
As a result, an attacker could load “malicious software into open source repositories” that then automatically slide into a company’s system, according to BleepingComputer. These forged and malicious code packages would allow a wrongdoer to execute arbitrary code or could be used to add “backdoors within affected projects during the construction process,” Birsan said. inside a recent deterioration of how Yelp had been affected.
G / O Media may receive a commission
To example Paypal has posted a note on Birsan’s discoveries, explaining what had happened in his case:
… certain development projects went by default into the NPM public registry, instead of using the planned internal packages. Because the public registry packages did not exist, the researcher created them and observed that they were downloaded. If these packages were maliciously registered, internal development may have included this code. While there are additional controls and controls in the development pipeline, this could have caused significant problems for internal systems. Thanks to the investigator’s report, PayPal was able to mitigate the problem with the public registry and did not confirm any evidence of previous malicious activity.
Birsan has dubbed this vulnerability “dependency confusion,” which he said in a recent post blog post, “Up to more than 35 organizations have been detected so far, across the three programming languages tested. The vast majority of affected companies belong to the category of more than 1000 employees, which probably reflects the higher prevalence of internal use of libraries in larger organizations “. He clarified to BleepingComputer that exploitation involves “vulnerabilities or design defects in automated construction or installation tools [that] can cause public dependencies to be confused with internal dependencies with the same name “.
When Birsan began taking advantage of this strategy last year, security company Sonatype began marking the packages it sent as malware. the company reported recently, but Birsan contacted them quickly and notified them of their ongoing investigation, explaining that the official Friday on the vulnerability would occur in 2021.
Birsan’s successful hacks have earned him multiple rewards for mistakes and the gratitude of a large number of large technology companies.
“I think it’s important to make it clear that all the organizations under investigation have given permission to test their security, either through public error-rewarding programs or through private agreements. Do not attempt this type of test without authorization “. Birsan wrote in blog post.
Birsan, who previously worked as a Python engineer with Bitdefender and has spent the last three years as a self-employed IT security consultant, he also noted that this type of vulnerability he discovered has the potential to become a much bigger problem in the future.
“I believe that finding new and smart ways to filter internal package names will expose even more vulnerable systems, and searching for alternative programming languages and repositories to the target will reveal an additional attack surface for dependency confusion errors.” Birsan wrote.