Security News > 2021 > February > Dependency Confusion Supply-Chain Attack Hit Over 35 High-Profile Companies

Dependency Confusion Supply-Chain Attack Hit Over 35 High-Profile Companies
2021-02-10 04:57

In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution.

The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources.

These external package dependencies, which are fetched from public repositories during a build process, can pose an attack opportunity when an adversary uploads a higher version of a private module to the public feed, causing a client to automatically download the bogus "Latest" version without requiring any action from the developer.

"From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," security researcher Alex Birsan detailed in a write-up.

To carry out the attack, Birsan began by collecting names of private internal packages used by major companies off GitHub, posts on various internet forums, and JavaScript files that list a project's dependencies, and then uploaded rogue libraries using those same names to open-source package hosting services such as npm, PyPI, and RubyGems.

Birsan ultimately used the counterfeit packages to obtain a record of every machine where the packages were installed and exfiltrated the details over DNS for the reason that the "Traffic would be less likely to be blocked or detected on the way out."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/xrvY4re7MoE/dependency-confusion-supply-chain.html