Developer in a digital crosshair, 2022 edition - Oh My H@ck!

BIO
• Principal Security Consultant @ SecuRing
• Head of Web Security
• Co-author of Security Aware Developer
training
• Ex-developer
https://www.linkedin.com/in/molejarka/
https://twitter.com/molejarka

Agenda
• Attacks on libraries
• Attacks on tools
• Attacks on infrastructure
• Summary

Attacks on
libraries
https://flickr.com/photos/29233640@N07/

Complexity
https://sambleckley.com/writing/npm.html

Fun fact
https://www.npmjs.com/package/-

Fun fact
https://cdn.jsdelivr.net/npm/-@0.0.1/

Fun fact
https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-

Interview
I mean no harm to anyone in any
way
https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/

Interview
Parzhitsky agrees [...] that the unusually high number of
downloads can most likely be attributed to developers
making typos

Attacks on libraries
• Typosquatting
• Dependency confusion
• Maintainer’s account takeover
• Protestware

Typosquatting
https://www.npmjs.com/package/electorn

electron
electorn
Typosquatting

https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a-total-of-1-5-billion-weekly-downloads-on-npm
Typosquatting

Typosquatting + adware
https://socket.dev/blog/whats-in-your-npm-stat-counter

Typosquatting
https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/

Typosquatting
and many more…

Dependency Confusion
What happens if malicious code is uploaded to npm under
these names?
Is it possible that some of PayPal’s internal projects will start
defaulting to the new public packages instead of the private
ones?
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Maintainer’s account takeover

https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/

Expired domain
https://twitter.com/lrvick/status/1523774962909298690

Expired domain
https://www.npmjs.com/package/foreach

Expired domain
https://github.com/manuelstofer/foreach/commit/644640c4c84abc415140b00c3629084e982f2182

colors and faker
https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2

colors and faker
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Protestware
https://www.npmjs.com/package/node-ipc

Protestware
https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1

Protestware
https://api.ipgeolocation.io/ipgeo?apiKey=[cut]
./
../
../../
/
country_name
russia
belarus

Protestware
https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

https://blog.sonatype.com/all?q=package
Some numbers
Packages flagged as malicious, suspicious, or
dependency confusion attacks in npm and PyPi:
October 7, 2022 ~100
October 14, 2022 ~50
October 21, 2022 ~40
October 28, 2022 ~70
Weekly in September ~89
Weekly in October ~65

Attacks on
tools
https://flickr.com/photos/danielmee/

Attacks on Tools
• Codecov
• Homebrew
• npm
• Ruby Gems

On Thursday, April 1, 2021, we learned that
someone had gained unauthorized access to
our Bash Uploader script and modified it
without our permission.

This customer was using the shasum that is available on our
Bash Uploader to confirm the integrity of the uploader
fetched from https://codecov.io/bash.

https://docs.codecov.com/docs/about-the-codecov-bash-uploader

https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10

Our use of Codecov’s Bash Uploader script was
limited: it was set up on a single CI server used
to test and build some internal tooling […].
We were not using Codecov on any CI
server used for product code.
https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/

While investigation has not revealed evidence of
unauthorized usage of the exposed GPG key, it
has been rotated in order to maintain a trusted
signing mechanism
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

https://news.ycombinator.com/item?id=26819983

Homebrew
In the Homebrew/homebrew-cask repository, it
was possible to merge the malicious pull
request by confusing the library that is used in
the automated pull request review script
developed by the Homebrew project.
https://blog.ryotak.me/post/homebrew-security-incident-en/

Homebrew
This is due to a flaw in the git_diff dependency of the
review-cask-pr GitHub Action, which is used to parse a pull
request’s diff for inspection.
Due to this flaw, the parser can be spoofed into
completely ignoring the offending lines, resulting in
successfully approving a malicious pull request.

Homebrew
By abusing it, an attacker could execute arbitrary Ruby codes
on users' machine who uses brew.
The discovered vulnerability would allow an attacker to inject
arbitrary code into a cask and have it be merged
automatically

Second, on November 2 we received a report to our security
bug bounty program of a vulnerability that would allow an
attacker to publish new versions of any npm package using
an account without proper authorization
https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/

We determined that this vulnerability was due to
inconsistent authorization checks and validation of data
across several microservices that handle requests to the npm
registry.

This vulnerability existed in the npm registry beyond the
timeframe for which we have telemetry to determine
whether it has ever been exploited maliciously.

However, we can say with high confidence that this
vulnerability has not been exploited maliciously during the
timeframe for which we have available telemetry, which
goes back to September 2020

Ruby Gems
An ordering mistake in the code that accepts gem uploads
allowed some gems […] to be temporarily replaced in the
CDN cache by a malicious package
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w

Ruby Gems
1. An attacker could guess the next version number, and
create a gem with the name sorbet-static-0.5.9996-universal-
darwin and version number 20.

Ruby Gems
2. With a crafted invalid gemspec, it was possible to coerce
RubyGems.org to save that gem to S3 without creating a
matching database record.

Ruby Gems
3. Later, the real sorbet-static gem would release version
0.5.9996 as usual, and the attacker-controlled file would be
overwritten on S3.

Ruby Gems
4. However, if the attacker had already primed the Fastly
CDN cache by requesting their malicious gem, Fastly would
continue to serve the old, malicious package.

Attacks on
infrastruct
ure
https://flickr.com/photos/quinnanya/

Attacks on infrastructure
• PHP
• GitHub

Yesterday (2021-03-28) two malicious commits were pushed
to the php-src repo [1] from the names of Rasmus Lerdorf
and myself.
We don't yet know how exactly this happened, but
everything points towards a compromise of the git.php.net
server (rather than a compromise of an individual git
account).
https://news-web.php.net/php.internals/113838

Something I was not aware of at the time is that
git.php.net (intentionally) supported pushing
changes not only via SSH […] but also via HTTPS.
The latter did not use gitolite, and instead used git-http-
backend behind Apache2 Digest authentication against
the master.php.net user database.
https://news-web.php.net/php.internals/113981

It is notable that the attacker only makes a few guesses at
usernames, and successfully authenticates once the correct
username has been found.
While we don't have any specific evidence for this, a possible
explanation is that the user database of master.php.net has
been leaked

The master.php.net system, which is used for authentication
and various management tasks, was running very old code
on a very old operating system
/
PHP version, so some kind of vulnerability would not be
terribly surprising.

On April 12, GitHub Security began an investigation that
uncovered evidence that an attacker abused stolen OAuth
user tokens issued to two third-party OAuth integrators,
Heroku and Travis-CI, to download data from dozens of
organizations, including npm.
https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

Our analysis of other behavior by the threat actor suggests
that the actors may be mining the downloaded private
repository contents, to which the stolen OAuth token had
access, for secrets that could be used to pivot into other
infrastructure.

GitHub contacted Heroku and Travis-CI to request that they
initiate their own security investigations, revoke all OAuth
user tokens associated with the affected applications, and
begin work to notify their own users.

We do not believe the attacker obtained these tokens via a
compromise of GitHub or its systems, because the tokens in
question are not stored by GitHub in their original, usable
formats.

On April 7, 2022, a threat actor obtained access to a Heroku
database and downloaded stored customer GitHub
integration OAuth tokens.
Access to the environment was gained by leveraging a
compromised token for a Heroku machine account.
https://status.heroku.com/incidents/2413

On that same day, the threat actor downloaded data from
another database that stores pipeline-level config vars for
Review Apps and Heroku CI.
Additionally, another small subset of Heroku users had their
Heroku tokens exposed in a config var for a pipeline.

On April 15, 2022, Travis CI personnel were informed that
certain private customer repositories may have been
accessed by an individual who used a man-in-the-middle
2FA attack, leveraging a third-party integration token.
https://blog.travis-ci.com/2022-04-17-securitybulletin

Upon further review that same day, Travis CI personnel
learned that the hacker breached a Heroku service and
accessed a private application OAuth key used to integrate
the Heroku and Travis CI application.

Travis CI immediately revoked all authorization keys and
tokens preventing any further access to our systems. No
customer data was exposed and no further access was
possible.

https://flickr.com/photos/143106192@N03/

Libraries
• Awareness
• No typos ;)

Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies

Libraries
• Awareness
• No typos ;)
• Download from official sources

Libraries
• Awareness
• No typos ;)
• When not sure do not install

Libraries
• Awareness
• No typos ;)
• When not sure do not install
• Enable 2FA (as a maintainer)

Enforcing 2FA
• Top 100 packages
• Started on: 1.02.2022
• Packages classified
as critical: ~4000
• Started on:
8.07.2022
• Top 100 packages
• Started on: 15.08.2022

Enforcing 2FA
https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1?from_ts=1662376975438&to_ts=1662463375438&live=true

Enforcing 2FA
https://pypistats.org/packages/atomicwrites

What can go wrong with enforcing 2fa?
https://github.com/untitaker/python-atomicwrites/issues/61

atomicwrites
I'd rather just write code for fun and only worry about
supply chain security when I'm actually paid to do so.

Tools
• I will not download and run scripts directly from the
net

Tools
net
• I will verify checksums and signatures of downloaded
files

Tools
net
files
• I will install only from official sources

Tools
net
files
• I will install only from official sources
• I will update frequently what I’ve already installed

Infrastructure
• Keep good inventory, especially of what is in the clouds

Infrastructure
• Disable/shutdown what’s unused

Infrastructure
• Keep good inventory, especially of what is in the
clouds
• Secure configurations

Infrastructure
• Frequently update (to fix known issues)

Infrastructure
• Frequently update (to fix known issues)
• Monitor, monitor, monitor

2023?
• Google Assured Open Source Software
• Google Software Delivery Shield
• Widespread MFA adoption
• Built-in detection of typosquatting

https://www.linkedin.com/in/molejarka/
https://twitter.com/molejarka

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

More Related Content

Similar to Developer in a digital crosshair, 2022 edition - Oh My H@ck!

More from SecuRing

Recently uploaded

Developer in a digital crosshair, 2022 edition - Oh My H@ck!