A researcher managed to breach the internal systems of more than 35 large companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber, in a new attack on the software supply chain.
A security researcher has found a clever way to hack Apple, Tesla and more than 30 other large companies using a new open-source software approach.
The hacker took advantage of the fact that the systems of many large companies use open source software from public archives. Bleeping Computer explains:
The attack involved uploading malware to open source repositories including PyPI, npm and RubyGems, which were then automatically deployed downstream to the company’s internal applications.
Unlike traditional typosquatting attacks that rely on social engineering tactics or misspelling the victim in a package name, this particular supply chain attack is more sophisticated in that it required no action from the victim, which automatically received the malicious packages. This is because the attack exploited a unique design flaw in open source ecosystems called dependency confusion.
Security researcher Alex Birsan came up with the idea while working with researcher Justin Gardner. The latter had shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.
Birsan noted that some of the manifest file packages were not present in the public npm repository, but were instead privately created npm packages by PayPal, used and stored internally by the company.
Seeing this, the researcher thought that a package with the same name should exist in the public npm repository, as well as a private NodeJS repository. But which would have priority?
He soon found the answer: Public packages had priority, so simply uploading fake packages with the same name made them download automatically.
In Apple’s case, Birsan managed to compromise several computers on the company’s internal network after downloading malicious code in a Node package that he loaded on npm, a package manager for JavaScript. In particular, Birsan was able to hack projects related to the Apple ID authentication system.
Apple told the researcher that the vulnerability could have been used to achieve remote code execution on Apple’s servers . The Cupertino tech giant fixed the vulnerability within two weeks of disclosure.
The supply chain attack is based on the trust many developers place in these package installers, which can include npm, pip from Python, and RubyGems from Ruby. Another key factor is the use of internal packages that don’t exist in public repositories. By loading malware with the names of these packages used internally, Birsan was able to trick some programs into downloading its malicious code instead of legitimate packages.
Of course, the fake packets were harmless, and Birsan alerted the companies as soon as they confirmed a successful infiltration. It has received over $ 130,000 in bug rewards, with Apple confirming it will be rewarded by them as well.
Recent Comments