Successfully reported this slideshow.
Your SlideShare is downloading. ×

Developer in a digital crosshair, 2022 edition - No cON Name

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 111 Ad

Developer in a digital crosshair, 2022 edition - No cON Name

Download to read offline

The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years. 
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software. 

The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years. 
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software. 

Advertisement
Advertisement

More Related Content

More from SecuRing (20)

Advertisement

Developer in a digital crosshair, 2022 edition - No cON Name

  1. 1. WhoamI Developer in a digital crosshair, 2022 edition Mateusz Olejarka
  2. 2. BIO • Principal Security Consultant @ SecuRing • Head of Web Security • Co-author of Security Aware Developer training • Ex-developer https://www.linkedin.com/in/molejarka/ https://twitter.com/molejarka
  3. 3. Agenda • Attacks on libraries • Attacks on tools • Attacks on infrastructure • Summary
  4. 4. Attacks on libraries kr.com/photos/29233640@N07/
  5. 5. cComplexity https://sambleckley.com/writing/npm.html
  6. 6. cComplexity https://sambleckley.com/writing/npm.html
  7. 7. Fun fact https://www.npmjs.com/package/-
  8. 8. Fun fact https://cdn.jsdelivr.net/npm/-@0.0.1/
  9. 9. Fun fact https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-
  10. 10. Interview I mean no harm to anyone in any way https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700- 000-downloads-heres-why/
  11. 11. Interview Parzhitsky agrees [...] that the unusually high number of downloads can most likely be attributed to developers making typos https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700- 000-downloads-heres-why/
  12. 12. Attacks on libraries • Typosquatting • Dependency confusion • Maintainer’s account takeover • Protestware
  13. 13. Typosquatting https://www.npmjs.com/package/electorn
  14. 14. electron electorn Typosquatting
  15. 15. https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a- total-of-1-5-billion-weekly-downloads-on-npm Typosquatting
  16. 16. Typosquatting + adware https://socket.dev/blog/whats-in-your-npm-stat-counter
  17. 17. https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/ Typosquatting
  18. 18. Dependency Confusion
  19. 19. What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones? https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Dependency Confusion
  20. 20. Maintainer’s account takeover
  21. 21. https://my.diffend.io/npm/ua-parser- js/0.7.28/0.7.29 Maintainer’s account takeover
  22. 22. Maintainer’s account takeover
  23. 23. Maintainer’s account takeover
  24. 24. Maintainer’s account takeover
  25. 25. Maintainer’s account takeover
  26. 26. Maintainer’s account takeover
  27. 27. Maintainer’s account takeover
  28. 28. Maintainer’s account takeover
  29. 29. Maintainer’s account takeover
  30. 30. Maintainer’s account takeover
  31. 31. https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its- npm-account-hacked/ Maintainer’s account takeover
  32. 32. Expired domain https://twitter.com/lrvick/status/1523774962909298690
  33. 33. Expired domain https://www.npmjs.com/package/foreach
  34. 34. Expired domain https://github.com/manuelstofer/foreach/commit/644640c4c84abc415140b00c3629084e982f2182
  35. 35. colors and faker https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2
  36. 36. colors and faker https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker- breaking-thousands-of-apps/
  37. 37. Protestware https://www.npmjs.com/package/node-ipc
  38. 38. Protestware https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1
  39. 39. Protestware https://api.ipgeolocation.io/ipgeo?apiKey=[cut] ./ ../ ../../ / country_name russia belarus
  40. 40. ❤️ ❤️ Protestware
  41. 41. Protestware https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
  42. 42. https://blog.sonatype.com/all?q=package Some numbers Packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPi: October 7, 2022 ~100 October 14, 2022 ~50 October 21, 2022 ~40 October 28, 2022 ~70 Weekly in September ~89 Weekly in October ~65
  43. 43. Attacks on tools https://flickr.com/photos/danielmee/
  44. 44. Attacks on Tools • Codecov • Homebrew • npm • Ruby Gems
  45. 45. On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission.
  46. 46. This customer was using the shasum that is available on our Bash Uploader to confirm the integrity of the uploader fetched from https://codecov.io/bash.
  47. 47. https://docs.codecov.com/docs/about-the-codecov-bash-uploader
  48. 48. https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10
  49. 49. Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling […]. We were not using Codecov on any CI server used for product code. https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/
  50. 50. While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp- gpg-key-exposure/23512
  51. 51. https://news.ycombinator.com/item?id=26819983
  52. 52. Homebrew In the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project. https://blog.ryotak.me/post/homebrew-security-incident-en/
  53. 53. Homebrew This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.
  54. 54. Homebrew By abusing it, an attacker could execute arbitrary Ruby codes on users' machine who uses brew. The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically
  55. 55. Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/
  56. 56. We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry.
  57. 57. This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously.
  58. 58. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020
  59. 59. Ruby Gems https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w An ordering mistake in the code that accepts gem uploads allowed some gems […] to be temporarily replaced in the CDN cache by a malicious package
  60. 60. Ruby Gems 1. An attacker could guess the next version number, and create a gem with the name sorbet-static-0.5.9996-universal- darwin and version number 20.
  61. 61. Ruby Gems 2. With a crafted invalid gemspec, it was possible to coerce RubyGems.org to save that gem to S3 without creating a matching database record.
  62. 62. Ruby Gems 3. Later, the real sorbet-static gem would release version 0.5.9996 as usual, and the attacker-controlled file would be overwritten on S3.
  63. 63. Ruby Gems 4. However, if the attacker had already primed the Fastly CDN cache by requesting their malicious gem, Fastly would continue to serve the old, malicious package.
  64. 64. Attacks on infrastructure https://flickr.com/photos/quinnanya/
  65. 65. Attacks on infrastructure • PHP • GitHub
  66. 66. Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). https://news-web.php.net/php.internals/113838
  67. 67. Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH […] but also via HTTPS. The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database. https://news-web.php.net/php.internals/113981
  68. 68. It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked
  69. 69. The master.php.net system, which is used for authentication and various management tasks, was running very old code on a very old operating system / PHP version, so some kind of vulnerability would not be terribly surprising.
  70. 70. On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/
  71. 71. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.
  72. 72. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.
  73. 73. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.
  74. 74. On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. https://status.heroku.com/incidents/2413
  75. 75. On that same day, the threat actor downloaded data from another database that stores pipeline-level config vars for Review Apps and Heroku CI. Additionally, another small subset of Heroku users had their Heroku tokens exposed in a config var for a pipeline.
  76. 76. On April 15, 2022, Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token. https://blog.travis-ci.com/2022-04-17-securitybulletin
  77. 77. Upon further review that same day, Travis CI personnel learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.
  78. 78. Travis CI immediately revoked all authorization keys and tokens preventing any further access to our systems. No customer data was exposed and no further access was possible.
  79. 79. https://flickr.com/photos/143106192@N03/
  80. 80. Libraries
  81. 81. Libraries • Awareness
  82. 82. Libraries • Awareness • No typos ;)
  83. 83. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies
  84. 84. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources
  85. 85. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install
  86. 86. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)
  87. 87. • Top 100 packages • Started on: 1.02.2022 • Packages classified as critical: ~4000 • Started on: 8.07.2022 Enforcing 2FA
  88. 88. Enforcing 2FA https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1?from_ts=1662376975438&to_ts=1662463375438&live=true
  89. 89. Enforcing 2FA https://pypistats.org/packages/atomicwrites
  90. 90. What can go wrong with enforcing 2fa? https://github.com/untitaker/python-atomicwrites/issues/61
  91. 91. atomicwrites I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.
  92. 92. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)
  93. 93. Tools
  94. 94. Tools • I will not download and run scripts directly from the net
  95. 95. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files
  96. 96. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources
  97. 97. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed
  98. 98. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed
  99. 99. Infrastructure
  100. 100. Infrastructure • Keep good inventory, especially of what is in the clouds
  101. 101. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused
  102. 102. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations
  103. 103. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues)
  104. 104. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor
  105. 105. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor
  106. 106. https://www.linkedin.com/in/molejarka/

×