Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Uber, and many other major companies are at risk of getting hacked. Alex Birsan, an ethical hacker, demonstrated how public and open-source developer tools can be exploited to break into organizations’ internal applications.
Security researcher Alex Birsan demonstrated a novel supply-chain attack that injects malicious code into common tools, taking advantage of dependencies to propagate malware through a company’s internal applications and systems.
In a blog post, Birsan revealed shocking results of his tests. “The rate was simply astonishing,” Birsan wrote. He exposed vulnerabilities, which are present in more than 35 organizations to date across three respected programming languages – Python, Java, and Ruby.
The researcher received more than $130,000 in bug bounties and pre-approved financial agreements with targeted companies, who participated in the tests. The hacker’s original clients were PayPal, Apple, and Shopify, who contributed $30,000 each to the total earnings.
About the Test
As developers commonly share blocks of code between projects, including downloading such from publicly available platforms, such as GitHub and RubyGems, Birsan questioned the level of trust developers put into code packages that could as likely be malicious as they could be authentic.
“When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine,” Birsan wrote.
Birsan collaborated with another ethical hacker, Justin Gardner, to investigate a Node.js source code from GitHub, which was part of PayPal's internal application infrastructure. When analyzing the material, the hackers discovered weaknesses, which Birsan used to sneak his “malicious” code into PayPal’s internal infrastructure.
The researcher explained that he used a Node package that collects basic information about each machine it is installed on. Of course, in order not to expose any private data, the hacker logging only the usernames, hostnames, and the current path of each unique installation.
Birsan explained that while the collected data, along with other external IPs, is more than enough to help security teams identify possibly vulnerable systems, it is minimal enough so that his test won’t be mistaken for a cyber attack.
Birsan then used DNS exfiltration for retrieving the data because this traffic would be less likely to be blocked or detected. He explained that he hex-coded the data and used it as part of a DNS query to upload it to his custom authoritative name server, which was programmed to keep a record of every machine where the packages were downloaded.
Armed with a basic attack method, Birsan dived deeper into the attack vector to see its feasibility and damage potential. He used the same trick for Ruby and Java programming language and in just a few days, discovered private package names belonging to Apple, Yelp, and Tesla.
“The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations,” Birsan pointed out.
The researcher warns that this type of vulnerability could allow malicious actors to gain access to companies’ networks, execute code remotely, and even add backdoors during builds.