Alex Birsan, a Romanian threat researcher, recently earned over $ 130,000 by virtuously breaking into the IT systems of dozens of major technology companies.
Birsan has used a single innovative supply chain attack to compromise Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 other companies. In the process, the researcher exposed a major vulnerability and won large sums through several bug rewards – company fees pay “white hat” hackers who successfully test their online defenses.
How Birsan did it is quite interesting. This involves manipulating code in development projects, especially dependencies – certain augmentative codes that are used to successfully run a program. Threatpost notes that the attack would inject malicious code “into the usual tools for installing dependencies in developer projects that typically use public repositories on sites like GitHub. Malicious code then uses these dependencies to spread malware through a target company’s internal applications and systems. ”
This is quite complicated, but in essence, Birsan found that some packages of internal code for large companies were unintentionally published in public repositories, such as Github, for various reasons, including “internal or cloud-based construction servers.” misconfigured ”and“ systemically vulnerable development pipelines ”, among others. Birsan also found that automated construction tools, which are used by companies during development, sometimes they would “confuse” this public code with the internal code if the packages had the same name.
As a result, an attacker could load “malware into open source repositories” which would then be automatically introduced into a company’s system, according to BleepingComputer. These malicious, counterfeit code packages would allow an evildoer to execute arbitrary code or could be used to add “backdoors inside affected projects during the construction process,” Birsan said. into the a recent silence about how Yelp has been affected.
G / O Media may receive a commission
For example, Paypal has issued a note about Birsan’s findings, explaining what had happened to him:
… certain development projects have been implicit in the NPM public registry, instead of using the intended internal packages. Because the packages in the public registry did not exist, the researcher created them and noticed that they had been downloaded. If these packages were maliciously registered, internal development may have included this code. Although there are additional checks and controls in the development pipeline, this could have caused significant problems for internal systems. Thanks to the researcher’s report, PayPal was able to alleviate the problem with the public registry and did not confirm any evidence of previous harmful activity.
Birsan called the vulnerability “addictive confusion,” which he described in a recent article. blog post, “It has been detected in over 35 organizations so far, in all three programming languages tested. The vast majority of affected companies fall into the category of over 1000 employees, which most likely reflects the higher prevalence of internal library use in larger organizations. ” He clarified to BleepingComputer that the operation involves “vulnerabilities or design defects in automatic construction or installation tools [that] it can lead to the confusion of public dependencies with internal dependencies with exactly the same name. ”
When Birsan began using this strategy last year, security firm Sonatype began reporting packages it sent as malware. the company recently reported, but Birsan contacted them quickly and notified them of his ongoing research, explaining that a formal vulnerability disclosure will take place in 2021.
Birsan’s successful hacks have brought him multiple error rewards and the recognition of a large number of technology companies.
“I think it’s important to clarify that every organization targeted during this research has been given permission to test its security, either through public error compensation programs or private agreements. Please do not attempt this type of test without authorization. ” Birsan wrote in blog post.
Birsan, who previously worked as a Python engineer with Bitdefender and He spent the last three years as an independent IT security consultant, noting that this type of vulnerability he discovered has the potential to become a much bigger problem in the future.
“I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and searching for alternative programming languages and repositories to the destination will reveal an additional area of attack for addictive errors.” Birsan wrote.