A cybersecurity researcher breached over 35 major companies, including Apple and PayPal in a novel software supply chain attack.
Ethical hacker Alex Birsan discovered a method to inject malicious dependency packages into commonly used open-source developer tools.
The exploit method affects several programming languages depending on the package manager to install dependencies into projects using public repositories.
Supply chain attack affects 35 companies
Birsan’s hacking method, called dependency confusion, allowed him to exploit 35 companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber in a supply chain attack.
Injecting malicious code into internal codebases allows an attacker to propagate through a company’s internal applications and systems.
“Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan wrote.
The cybersecurity researcher noted that the compromise method was surprisingly successful on three tested programming languages (Python, Java, and Ruby).
Blind trust when installing dependencies exposes companies to malware
Birsan’s hacking idea originated from how simple install commands worked on package installers such as npm and pip.
He said that simple install commands such as “pip install <package_name>” were tied to public code repositories where anybody could create such public repositories for use. Additionally, the code hosting systems could not guarantee that the repositories were malware-free.
“When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine,” Birsan wrote. “So can this blind trust be exploited by malicious actors?”
Birsan hatched the idea after receiving a node.js file from another ethical hacker Justin Gardner while jointly trying to hack PayPal.
Dependency managers default to public repositories for non-existent or private packages
He discovered that the code’s package.json file included a mixture of internal and external dependencies. Some of the dependencies were publicly available, while others were hosted privately.
“What happens if malicious code is uploaded to npm under these names?” Birsan wondered. “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?”
Birsan’s idea was right and he uploaded “malicious” npm packages using the unclaimed names. Every computer trying to install the packages phoned home, notifying him if the attempted install originated from PayPal servers.
He then created a node package to collect information, including username, hostname, and the current path of every package installed through the preinstall script.
“Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports while avoiding having my testing be mistaken for an actual attack,” he said.
DNS exfiltration circumvents corporate network security
He used DNS exfiltration to receive data from the “compromised” organizations. This method allowed him to circumvent the corporate network’s security protections during his mock supply chain attack.
“The data was hex-encoded and used as part of a DNS query, which reached my custom authoritative name server, either directly or through intermediate resolvers,” Birsan explained. “The server was configured to log each received query, essentially keeping a record of every machine where the packages were downloaded.”
Dependency confusion attack method portable to various ecosystems
After the success of his supply chain attack, the researcher targeted more ecosystems to target more organizations. He ported the code to python and Ruby through PyPI (python package index) and RubyGems, respectively.
Birsan pointed out that the success of his supply chain attack depended on finding as many dependency names many unclaimed dependencies as possible. He realized that he could find private package names on GitHub and other package hosting services. These names were inadvertently published on code hosting sites and other forums.
Birsan earned at least $130,000 in bounty payouts, including $40,000 from Microsoft, which was the highest possible payout for the bounty program. Apple, PayPal, and Shopify paid the researcher $30,000 each.
Craig Young, principal security researcher at Tripwire, says that the security issue discovered by Birsan is a “serious industry-wide problem.”
“Organizations face a constant stream of choices between reinventing every wheel, entering costly license agreements, or utilizing open source software,” Young says. “Embracing open source has allowed many businesses to flourish while keeping down the cost of initial development at the expense of extremely murky supply chains.”
He adds that software development companies should monitor every change in externally sourced software, but doing so was almost impossible.
“The problem is that dependency chains can quickly spiral out of control and oftentimes there are good reasons for wanting quick updates whether it be security or general bug fixes. Identifying, interpreting, and analyzing potentially thousands of lines of code could largely offset the cost savings of open source for some organizations.”
He noted that allowing employees to download and work with arbitrary open external packages exposed organizations to potential legal and security risks.
“In this case, it was a researcher with an innocuous ‘phone home’ payload but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”