A security researcher claims to have hacked into systems at large companies, including Apple and Microsoft, again using an attack on the software supply chain, just as it did in the SolarWinds invasion. The purpose of the breach, according to Alex Biran, was to show the fragility of the security of the infrastructures of these companies, even after the megataque to the American software manufacturer, in December last year.
Biran claims to have created malicious node packages and loaded them into the npm (Node Package Manager) registry with unclaimed names. The node packs collected information through their pre-installation script about the machines on which they were installed. Then Biran found a way to get packages to send information to him.
“Knowing that most of the possible targets would be within well-protected corporate networks, I considered DNS exfiltration to be the way to go,” wrote Biran in a post. The data was encoded in hexadecimal and used as part of a DNS query, which reached the researcher’s personalized authorized name server, either directly or through intermediate resolvers. Biran then found private package names within JavaScript files.
“Apple, Yelp and Tesla are just a few examples of companies that have had employee names exposed in this way,” wrote Biran. In the second half of 2020, Biran verified millions of domains belonging to target companies and extracted hundreds of names from JavaScript packages that had not been claimed in the npm registry. “I uploaded his malicious code to the package hosting services and achieved a success rate that he described as” just amazing, “he said.
“Occupying valid internal package names was an almost foolproof method of entering the networks of some of the biggest technology companies, getting remote code execution and possibly allowing attackers to add backdoors during builds,” said Biran. “This kind of vulnerability, which I started to call dependency confusion, has been detected in more than 35 organizations so far, in all three programming languages tested.”
The vast majority of affected companies employed more than 1,000 people. “This is an incredibly serious problem across the industry,” Craig Young, principal security researcher at Tripwire, told Infosecurity. “When software development companies allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to legal and security risks. In that case, he was a researcher with an innocuous ‘phone home’ payload, but it could just as easily have been an APT implanting a malware implant or a patent troll implementing a commercially licensed algorithm. ”
See the original post at: https://www.cisoadvisor.com.br/pesquisador-afirma-ter-invadido-sistemas-da-apple-microsoft-yelp-e-tesla/?rand=59039
