In a write up posted on Tuesday, Birsan recounted how he managed to distribute proof-of-concept malicious code through the npm Registry, PyPI (Python Package Index), and RubyGems, which are used by developers to install software libraries that add functionality to their applications.
Integrating third-party software libraries from public registries requires a high degree of trust in those creating and uploading software packages, trust that has frequently been abused through techniques like typosquatting or compromising a library maintainer's account.
These packaging systems are public in that any developer can add specific package names to their code and load those libraries from a remote repository into the environment where the app that contains the modules will run.
But they also allow for private dependencies – code libraries used internally at an organization that aren't available to the general public.
Birsan set out to see whether he could identify the names of private packages used inside companies and create malicious packages using those library names to place in the public package registries – the indexes that keep track of available software modules.
So Biran crafted identically named libraries that he designed to sneak system configuration data through corporate firewalls. His exfiltration scheme relied on hex-encoding the info and making it a part of a DNS query to a custom DNS server that he controlled.
Polluting the coding stream
The challenge then became getting applications that require private libraries to look for those file names in a polluted public source.
As it turns out, it's common for corporate software developers to rely on a hybrid configuration for their applications, one that references private internal packages but also supports fetching dependencies from a public registry, in order to ensure packages are up-to-date.
More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among othersREAD MORE
"Internal developers publish their packages to this private feed, and consumers check both private and public feeds for the best available versions of the required packages," Microsoft explained in a paper published in conjunction with Birsan's disclosure. "This configuration presents a supply chain risk: the substitution attack."
The substitution attack – having apps look for dependencies and fetch identically named malicious versions from a poorly secured public source instead of a company-controlled source – ended up working rather well for Birsan.
"From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," he said.
The companies that Birsan managed to attack with this technique include Apple, Microsoft, Netflix, PayPal,Shopify, Tesla, Uber, and Yelp. And for his efforts, he has been awarded at least $130,000 from bug bounty programs involving these firms.
Birsan's success in carrying out such attacks should set off alarm bells. Software supply chain attacks present a higher degree of risk than many threat scenarios because they have the potential to affect so many downstream victims. Recall that the compromise of the SolarWinds build system, among the most significant software security incidents in recent memory, was a supply chain attack.
Birsan's malicious proof-of-concept files were detected by security biz Sonatype's automated detection systems, but the firm allowed the experiment to go forward after conferring with him and discussing the disclosure timeline.
Sonatype, whose CTO raised concerns about lack of proper namespace management in open source ecosystems years ago, yesterday released a script to help companies check whether their internal package names can be found in public package registries. According to the company, there's been a 430 per cent increase in upstream software supply chain attacks. ®