Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio

Eche un vistazo a continuación

1 de 113 Anuncio

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

Descargar para leer sin conexión

Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent. 

Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software. 

Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent. 

Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software. 

Anuncio
Anuncio

Más Contenido Relacionado

Más de SecuRing (20)

Más reciente (20)

Anuncio

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

  1. 1. Mateusz Olejarka
  2. 2. BIO • Principal Security Consultant @ SecuRing • Head of Web Security • Co-author of Security Aware Developer training • Ex-developer https://www.linkedin.com/in/molejarka/ https://twitter.com/molejarka
  3. 3. Agenda • Attacks on libraries • Attacks on tools • Attacks on infrastructure • Summary
  4. 4. Attacks on libraries https://flickr.com/photos/29233640@N07/
  5. 5. Complexity https://sambleckley.com/writing/npm.html
  6. 6. Complexity https://sambleckley.com/writing/npm.html
  7. 7. Fun fact https://www.npmjs.com/package/-
  8. 8. Fun fact https://cdn.jsdelivr.net/npm/-@0.0.1/
  9. 9. Fun fact https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-
  10. 10. Interview I mean no harm to anyone in any way https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/
  11. 11. Interview Parzhitsky agrees [...] that the unusually high number of downloads can most likely be attributed to developers making typos
  12. 12. Attacks on libraries • Typosquatting • Dependency confusion • Maintainer’s account takeover • Protestware
  13. 13. Typosquatting https://www.npmjs.com/package/electorn
  14. 14. electron electorn Typosquatting
  15. 15. https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a-total-of-1-5-billion-weekly-downloads-on-npm Typosquatting
  16. 16. Typosquatting + adware https://socket.dev/blog/whats-in-your-npm-stat-counter
  17. 17. Typosquatting https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/
  18. 18. Typosquatting and many more…
  19. 19. Dependency Confusion
  20. 20. Dependency Confusion What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones? https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
  21. 21. Maintainer’s account takeover
  22. 22. Maintainer’s account takeover https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29
  23. 23. Maintainer’s account takeover
  24. 24. Maintainer’s account takeover
  25. 25. Maintainer’s account takeover
  26. 26. Maintainer’s account takeover
  27. 27. Maintainer’s account takeover
  28. 28. Maintainer’s account takeover
  29. 29. Maintainer’s account takeover
  30. 30. Maintainer’s account takeover
  31. 31. Maintainer’s account takeover
  32. 32. Maintainer’s account takeover https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/
  33. 33. Expired domain https://twitter.com/lrvick/status/1523774962909298690
  34. 34. Expired domain https://www.npmjs.com/package/foreach
  35. 35. Expired domain https://github.com/manuelstofer/foreach/commit/644640c4c84abc415140b00c3629084e982f2182
  36. 36. colors and faker https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2
  37. 37. colors and faker https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
  38. 38. Protestware https://www.npmjs.com/package/node-ipc
  39. 39. Protestware https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1
  40. 40. Protestware https://api.ipgeolocation.io/ipgeo?apiKey=[cut] ./ ../ ../../ / country_name russia belarus
  41. 41. ❤️ ❤️ Protestware
  42. 42. Protestware https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
  43. 43. https://blog.sonatype.com/all?q=package Some numbers Packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPi: October 7, 2022 ~100 October 14, 2022 ~50 October 21, 2022 ~40 October 28, 2022 ~70 Weekly in September ~89 Weekly in October ~65
  44. 44. Attacks on tools https://flickr.com/photos/danielmee/
  45. 45. Attacks on Tools • Codecov • Homebrew • npm • Ruby Gems
  46. 46. On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission.
  47. 47. This customer was using the shasum that is available on our Bash Uploader to confirm the integrity of the uploader fetched from https://codecov.io/bash.
  48. 48. https://docs.codecov.com/docs/about-the-codecov-bash-uploader
  49. 49. https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10
  50. 50. Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling […]. We were not using Codecov on any CI server used for product code. https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/
  51. 51. While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
  52. 52. https://news.ycombinator.com/item?id=26819983
  53. 53. Homebrew In the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project. https://blog.ryotak.me/post/homebrew-security-incident-en/
  54. 54. Homebrew This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.
  55. 55. Homebrew By abusing it, an attacker could execute arbitrary Ruby codes on users' machine who uses brew. The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically
  56. 56. Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/
  57. 57. We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry.
  58. 58. This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously.
  59. 59. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020
  60. 60. Ruby Gems An ordering mistake in the code that accepts gem uploads allowed some gems […] to be temporarily replaced in the CDN cache by a malicious package https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w
  61. 61. Ruby Gems 1. An attacker could guess the next version number, and create a gem with the name sorbet-static-0.5.9996-universal- darwin and version number 20.
  62. 62. Ruby Gems 2. With a crafted invalid gemspec, it was possible to coerce RubyGems.org to save that gem to S3 without creating a matching database record.
  63. 63. Ruby Gems 3. Later, the real sorbet-static gem would release version 0.5.9996 as usual, and the attacker-controlled file would be overwritten on S3.
  64. 64. Ruby Gems 4. However, if the attacker had already primed the Fastly CDN cache by requesting their malicious gem, Fastly would continue to serve the old, malicious package.
  65. 65. Attacks on infrastruct ure https://flickr.com/photos/quinnanya/
  66. 66. Attacks on infrastructure • PHP • GitHub
  67. 67. Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). https://news-web.php.net/php.internals/113838
  68. 68. Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH […] but also via HTTPS. The latter did not use gitolite, and instead used git-http- backend behind Apache2 Digest authentication against the master.php.net user database. https://news-web.php.net/php.internals/113981
  69. 69. It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked
  70. 70. The master.php.net system, which is used for authentication and various management tasks, was running very old code on a very old operating system / PHP version, so some kind of vulnerability would not be terribly surprising.
  71. 71. On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/
  72. 72. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.
  73. 73. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.
  74. 74. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.
  75. 75. On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. https://status.heroku.com/incidents/2413
  76. 76. On that same day, the threat actor downloaded data from another database that stores pipeline-level config vars for Review Apps and Heroku CI. Additionally, another small subset of Heroku users had their Heroku tokens exposed in a config var for a pipeline.
  77. 77. On April 15, 2022, Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token. https://blog.travis-ci.com/2022-04-17-securitybulletin
  78. 78. Upon further review that same day, Travis CI personnel learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.
  79. 79. Travis CI immediately revoked all authorization keys and tokens preventing any further access to our systems. No customer data was exposed and no further access was possible.
  80. 80. https://flickr.com/photos/143106192@N03/
  81. 81. Libraries
  82. 82. Libraries • Awareness
  83. 83. Libraries • Awareness • No typos ;)
  84. 84. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies
  85. 85. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources
  86. 86. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install
  87. 87. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)
  88. 88. Enforcing 2FA • Top 100 packages • Started on: 1.02.2022 • Packages classified as critical: ~4000 • Started on: 8.07.2022 • Top 100 packages • Started on: 15.08.2022
  89. 89. Enforcing 2FA https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1?from_ts=1662376975438&to_ts=1662463375438&live=true
  90. 90. Enforcing 2FA https://pypistats.org/packages/atomicwrites
  91. 91. What can go wrong with enforcing 2fa? https://github.com/untitaker/python-atomicwrites/issues/61
  92. 92. atomicwrites I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.
  93. 93. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)
  94. 94. Tools
  95. 95. Tools • I will not download and run scripts directly from the net
  96. 96. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files
  97. 97. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources
  98. 98. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed
  99. 99. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed
  100. 100. Infrastructure
  101. 101. Infrastructure • Keep good inventory, especially of what is in the clouds
  102. 102. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused
  103. 103. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations
  104. 104. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues)
  105. 105. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor
  106. 106. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor
  107. 107. 2023? • Google Assured Open Source Software • Google Software Delivery Shield • Widespread MFA adoption • Built-in detection of typosquatting
  108. 108. https://www.linkedin.com/in/molejarka/ https://twitter.com/molejarka

×