A Researcher Hacked Over 35 Tech Firms: Here’s What The Means For Cybersecurity
Back in February, a Romanian Threat researcher was able to tap into the IT systems of some of the largest companies in the world. As a threat researcher, it is the job of people like Alex Birsan to find vulnerabilities in computer systems.
This hack, also known as penetration testing, was planned: the companies were alerted to the potential hack, and no sensitive information was accessed. Nonetheless, Birsan’s work highlights common vulnerabilities that exist in just about every computer system.
Here’s what we learned from this hack and what it means for security:
How Birsan Hacked Over 35 Tech Firms
Birsan first contacted major tech companies like Apple, Netflix, Shopify, Tesla, Microsoft, and PayPal and informed them that he would test their cybersecurity measures. However, he did not tell them about the details.
In reality, Birsan had the idea to look at private code packages. Major information systems will access private and public code packages in order to launch a simple task.
When searching for the appropriate code package, an automated system will tap into a public repository. The server might look at the company’s private packages and the same name of public packages and then use whichever package is newer. So a package of an identical name in a public package could be swapped for a company’s private one if it’s a newer version.
Package retrieval in repositories is how many online operations function. Unfortunately, Birsan was able to expose many vulnerabilities within these automated builds. These vulnerabilities he called dependency confusion.
By guessing a name that a big tech company might use and injecting his own code packages into the public repositories like Github, Birsan could easily tap into the IT systems of these major companies. Using duplicate names and newer versions, Birsan was able to guess the types of package names a company might use, and use up many unused names, therefore, allowing developers and IT professionals to pull even non-duplicated code if they make a mistake.
What Does This Mean for Cybersecurity
The pull repository command is extremely popular and available in almost every programming language. Python uses pip, Node has npm, and Ruby uses gems. And each installer method pulls from the main source. For Python, it’s the Python Package Index (available here). Ruby’s is found on RubyGems, and Node’s npm registry, available here, is also publicly available.
So, accessing this source is as simple as signing up and finding the right bank. Hackers, for the most part, have tried to use these depositories in the past. However, they instead capitalized on typos (a technique known as typosquatting) and outdated packages. Packages like the Trojan Horse, Use After Free, and Source Injection are common, as well as the possibility to infect an existing package.
The myriad ways in which malicious code can be injected into the package depositories means that naturally, many servers are at risk. However, this is why IT professionals and security protocols exist.
While a pull request might pull an infected package, the company’s server protocols will still be monitoring their network activity. Protocols are still looking at server requests with concern, so adding in this vulnerability specifically can be as simple as a patch and recovery before any damage is done.
Luckily, people like Birsan and threat researchers exist for this very reason (and in fact, Birsan was paid out at least $130,000 of the bug bounty for discovering the vulnerability, a small price in our eyes). This vulnerability leaves many questions, though. For example, Birsan was unsure what would happen if code was uploaded under one of the common depository names with malicious intent.
While Birsan’s code was non-malicious, if a company’s projects defaulted to public packages instead of private ones, they could regularly pull public packages with malicious codes, potentially welcoming in a major data breach or ransomware attack.
Getting the information from the company’s critical infrastructure back out to complete the hacking was a little more tricky, but Birsan could do it with a DNS query.
Should Businesses or Organizations Be Worried About New Cybersecurity Threats?
When Birsan’s duplicate code was uploaded to the company’s network, he ensured that the code was not malicious. It retrieved only basic information about the computer, including the hostname, current path of each installation, and username so that the company could go in and restore the vulnerability (and they have).
Unfortunately, the ease with which duplicate code can be swapped on public depositories or open-source platforms means that virtually every company that uses public depositories is at risk. There are ways businesses can mitigate this vulnerability; for example, they could specify that only private depositories can be used. If the company relies on a lot of public depositories, though, then this may cause structural problems. So transitioning over to private depositories might take some time.
The same thing goes for changing the version type. If the company always pulled the private version regardless of how old it was, then the company could be relying on outdated packages.
There are some fail-safes that the company could put in place when accessing public depositories, potentially securing the public versions to select members. However, this does require some navigation, including patches and testing.
Almost every business or organization relies not only on IT security but also on public depositories in order to operate online. If you use a trusted partner for some of your services, then you should be able to rely on that team’s information security system to protect against a security breach or potential cyber attack through package calls. However, if you run your own IT department, including servers, then you should at the very least perform an audit to test for this vulnerability.
Managing Computer Security
Luckily testing for vulnerabilities in common uses of IT systems is something that Birsan, and others, do as an occupation. And when they find these vulnerabilities, they tell us about it, including in this white paper 3 Ways to Mitigate Risk When Using Private Package Feeds.
Cybersecurity firms, IT departments, and companies are continually seeking ways to further protect their data and their customers from a potential malware attack; and with the help of Birsan, cybersecurity experts may be able to do it.
As more of these vulnerabilities emerge, we will start to evolve our coding practices. This vulnerability, for example, exists as a type of feature of coding practices and is known as a flaw in the design rather than a bug.
Therefore, we can expect more of these insecurities to exist as long as coding is around, with the promise that warriors like Birsan will continue to vet and test our systems to check for vulnerabilities.
By SoftActivity Team