A new form of attack has been used to target big tech firms using “dependency confusion”
A professional tester has created a backdoor that researchers found hiding inside open source code targeting four German companies, according to a report in Ars Technica. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. “But it could have been bad. Very bad,” wrote Ars Technica’s Dan Goodin.
Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021, when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher, Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.
A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.
Dependencies now create weaknesses
Dependency confusion exploits companies’ reliance on open source code available from repositories such as NPM, PyPI, or RubyGems. In some cases, the company software will automatically connect to these sources to retrieve the code libraries required for the application to function. Other times, developers store these so-called dependencies internally. As the name suggests, dependency confusion works by tricking a target into downloading the library from the wrong place—a public source rather than an internal one.
With that,” writes Goodin, “the hackers have succeeded in infecting the software supply chain the targets rely on and getting the target or its users to run malicious code.”