Rapid increase in new supply chain attacks targeting 'software dependencies' targeting Amazon, Slack, Lyft, etc.
In some programming languages, there is code called 'packages' that define specific features, and software developers can incorporate specific features by declaring packages. Many software is dependent on existing packages rather than all code being written from scratch, but new supply chain attacks targeting this software dependency have been reported to be proliferating. ..
Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties
PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats
https://blog.sonatype.com/pypi-and-npm-flooded-with-over-5000-dependency-confusion-copycats
A new type of supply-chain attack with serious consequences is flourishing | Ars Technica
https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/
The supply chain attack in question was reported by cybersecurity researcher Alex Birsan in February 2021. Birsan focuses on the existence of 'external packages' published in repositories and 'internal packages' held by individual companies, and replaces the internal packages used by companies with external packages containing malicious code. Invented.
Birsan analyzed the code that the company inadvertently published and identified the name of the internal package that appeared to have been developed in-house. I created a package with the same name as this internal package, put in the code to collect and send data about the installed machine to the extent that it does not collect confidential information, and published it in the repository. As a result, it was confirmed that it was possible to carry out attacks against large companies such as PayPal, Apple, Microsoft, Netflix, Yelp, Uber, Shopify, and it said that it received a large amount of bug bounty from the reporting company.
How to hack big companies like Apple and PayPal using software 'packages'? --GIGAZINE
In the weeks following Birsan's report on supply chain attacks targeting software dependencies, attacks using similar techniques have been reported to have flourished. According to Sonatype, which protects apps developed by customers, nearly 5,000 packages have been published for the purpose of replacing internal packages in multiple repositories such as npm and the Python Package Index (PyPI).
Many of them are from security researchers looking to win bug bounties, and security company Contrast Security has successfully launched a desktop version of its collaboration tool, Microsoft Teams. Although the code in the package was harmless, successful Contrast Security researchers warn that attacks targeting software dependencies could pose a significant risk.
A Microsoft spokeswoman said, 'As part of a major effort to mitigate package replacement attacks, we quickly identified and addressed the issues mentioned, but did not pose a serious security risk to our customers. I did. '
Sonatype pointed out that some of the newly released packages aimed at attacking software dependencies were harmful in trying to steal
When tech media Ars Technica asked a targeted company for comment, Slack said in a statement, 'The library in question is not part of Slack's product and is not maintained or supported by Slack. Malicious software. There is no reason to think that was run in production. ' To prevent this type of attack, the security team regularly scans the packages used in the product with internal and external tools, and also ensures safety when developing with internal packages. He said it is unlikely that the package replacement will be successful.
Lyft and Zillow also reported that the reported malicious package was executed and there were no signs that the system was compromised. Lyft said it is working to ensure security by running security programs to prevent supply chain attacks, and Zillow is also monitoring unauthorized access to the system and taking action against future threats. .. In addition, Amazon officials did not reply to Ars Technica's email.
Related Posts:
