Microsoft, Uber And Tesla Amongst Tech Companies Vulnerable To New Automated Supply Chain Attack – Expert Insight

A novel form of software supply chain attack has been uncovered by ethical hacker Alex Birsan, who managed to breach the systems of over 35 major tech companies, including Microsoft, Uber and Tesla, by taking advantage of a concept known as dependency confusion.

The new attack vector is particularly worrying as, unlike traditional typosquatting or brandjacking supply chain attacks, the targeted companies automatically downloaded the malicious packages and the breach did not require social engineering or human error to infiltrate private repositories.

Experts Comments

February 10, 2021
Brian Fox
CTO and co-founder
Sonatype

This software supply chain attack, where security researcher Alex Birsan took advantage of a concept known as dependency confusion or namespace confusion within open source ecosystems, was quite simple, yet a clever way to gain access to systems in over 35 tech companies.

 

The ability to do this comes essentially from a design flaw in the way some open source ecosystems like npm work, and subverts a basic pattern in the Java world. In npm there are no checks of namespace or coordinate

.....Read More

This software supply chain attack, where security researcher Alex Birsan took advantage of a concept known as dependency confusion or namespace confusion within open source ecosystems, was quite simple, yet a clever way to gain access to systems in over 35 tech companies.

 

The ability to do this comes essentially from a design flaw in the way some open source ecosystems like npm work, and subverts a basic pattern in the Java world. In npm there are no checks of namespace or coordinate authenticity, which means anyone can publish a component to npm with any name. Additionally, it is very common in the npm ecosystem to depend on the “latest” version, which means the build tool tries to determine automatically what the latest, or highest version number of a given component is.

 

The important thing to understand here is that the researcher figured out what the internal names of components for these companies were, and published components with the same name to the public npm registry. They used a very large version number, which tricked their tooling to download the “latest” version from outside the organization as opposed to the internal copies they actually wanted. The targeted companies automatically received Birsan’s malicious and counterfeit packages without them making any spelling mistakes, or any social engineering involved, that we see in typical brandjacking or typosquatting.

 

While the attack may feel novel, we have been saying that this could be a possibility for years, because there is no verification of ownership within many of these ecosystems, and its common practice for developers to ask for the LATEST version. 

 

There is no easy fix, as this is a design flaw in the very system of these dependency ecosystems. They work like this because it was done to lower the barrier for developers to publish their packages. But, as we can now see, as the ecosystems have matured and are now critical infrastructure for any organization, bad actors are exploiting that ease of access.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.