Alex Birsan, an ethical hacker discovered a security vulnerability belonging to several companies, including Tesla, Apple, Netflix, and Microsoft by exploiting open-source repositories that allowed him to run code on their internal systems.
The supply chain attack involved uploading malware to open-source repositories including npm, PyPI, and RubyGems that got distributed downstream.
The supply chain attack didn’t require action by the companies developers. They automatically received the malicious code because of a design flaw in the open-source ecosystems referred to as “dependency confusion.” Mr. Birsan put malicious code inside private code repositories by registering internal library names on public, open-source package indexes.
“To strike a balance between the ability to identify an organization based on the data and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname and current path of each unique installation,” Birsan explained. “Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports.”
According to Microsoft “One common hybrid configuration that clients use is storing internal packages on a private feed but allowing the retrieval of dependencies from a public feed. This ensures that the latest package releases are automatically adopted when referenced from a package that does not need to be updated. Internal developers publish their packages to this private feed and consumers check both private and public feeds for the best available versions of the required packages. This configuration presents a supply chain risk: the substitution attack.”
Craig Young, principal security researcher at cybersecurity and compliance solutions firm Tripewire, Inc. states that “this is a very serious industrywide problem.”
“Organizations face a constant stream of choices between reinventing every wheel, entering costly license agreements or utilizing open-source software,” Young explained. “Embracing open source has allowed many business to flourish while keeping down the cost of initial development at the expense of extremely murky supply chains. Software development firms should ideally be tuned in to every change happening within externally sourced software but in reality, this is next to impossible for software projects of even moderate complexity.”
He explained “that dependency chains can quickly spiral out of control, and often there are good reasons for wanting quick updates such as security or general bug fixes.”
“Identifying, interpreting, and analyzing potentially thousands of lines of code could largely offset the cost savings of open source for some organizations,” he said. “When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves to both security and legal risk. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”
Threatrix ThreatCenter platform calculates the risk of open source dependencies with more than 28 risk metrics substantially reducing an organization’s exposure to software supply chain attacks.