A security researcher claims to have hacked into systems at large companies, including Apple and Microsoft, again using an attack on the software supply chain, just as it did in the SolarWinds invasion. The purpose of the breach, according to Alex Biran, was to show the fragility of the security of the infrastructures of these companies, even after the megataque to the American software manufacturer, in December last year.
Biran claims to have created malicious node packages and loaded them into the npm (Node Package Manager) registry with unclaimed names. The node packs collected information through their pre-installation script about the machines on which they were installed. Then Biran found a way to get packages to send information to him.
“Occupying valid internal package names was an almost foolproof method of entering the networks of some of the biggest technology companies, getting remote code execution and possibly allowing attackers to add backdoors during builds,” said Biran. “This kind of vulnerability, which I started to call dependency confusion, has been detected in more than 35 organizations so far, in all three programming languages tested.”
The vast majority of affected companies employed more than 1,000 people. “This is an incredibly serious problem across the industry,” Craig Young, principal security researcher at Tripwire, told Infosecurity. “When software development companies allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to legal and security risks. In that case, he was a researcher with an innocuous ‘phone home’ payload, but it could just as easily have been an APT implanting a malware implant or a patent troll implementing a commercially licensed algorithm. ”
See the original post at: https://www.cisoadvisor.com.br/pesquisador-afirma-ter-invadido-sistemas-da-apple-microsoft-yelp-e-tesla/?rand=59039