Developer in a digital crosshair, 2022 edition - Oh My H@ck!

1. Mateusz Olejarka

2. BIO • Principal Security Consultant @ SecuRing • Head of Web Security • Co-author of Security Aware Developer training • Ex-developer https://www.linkedin.com/in/molejarka/ https://twitter.com/molejarka

3. Agenda • Attacks on libraries • Attacks on tools • Attacks on infrastructure • Summary

4. Attacks on libraries https://flickr.com/photos/29233640@N07/

5. Complexity https://sambleckley.com/writing/npm.html

6. Complexity https://sambleckley.com/writing/npm.html

7. Fun fact https://www.npmjs.com/package/-

8. Fun fact https://cdn.jsdelivr.net/npm/-@0.0.1/

9. Fun fact https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-

10. Interview I mean no harm to anyone in any way https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/

11. Interview Parzhitsky agrees [...] that the unusually high number of downloads can most likely be attributed to developers making typos

12. Attacks on libraries • Typosquatting • Dependency confusion • Maintainer’s account takeover • Protestware

13. Typosquatting https://www.npmjs.com/package/electorn

14. electron electorn Typosquatting

15. https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a-total-of-1-5-billion-weekly-downloads-on-npm Typosquatting

16. Typosquatting + adware https://socket.dev/blog/whats-in-your-npm-stat-counter

17. Typosquatting https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/

18. Typosquatting and many more…

19. Dependency Confusion

20. Dependency Confusion What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones? https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

21. Maintainer’s account takeover

22. Maintainer’s account takeover https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

32. Maintainer’s account takeover https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/

33. Expired domain https://twitter.com/lrvick/status/1523774962909298690

34. Expired domain https://www.npmjs.com/package/foreach

35. Expired domain https://github.com/manuelstofer/foreach/commit/644640c4c84abc415140b00c3629084e982f2182

36. colors and faker https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2

37. colors and faker https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

38. Protestware https://www.npmjs.com/package/node-ipc

39. Protestware https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1

40. Protestware https://api.ipgeolocation.io/ipgeo?apiKey=[cut] ./ ../ ../../ / country_name russia belarus

41. ❤️ ❤️ Protestware

42. Protestware https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

43. https://blog.sonatype.com/all?q=package Some numbers Packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPi: October 7, 2022 ~100 October 14, 2022 ~50 October 21, 2022 ~40 October 28, 2022 ~70 Weekly in September ~89 Weekly in October ~65

44. Attacks on tools https://flickr.com/photos/danielmee/

45. Attacks on Tools • Codecov • Homebrew • npm • Ruby Gems

46. On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission.

47. This customer was using the shasum that is available on our Bash Uploader to confirm the integrity of the uploader fetched from https://codecov.io/bash.

48. https://docs.codecov.com/docs/about-the-codecov-bash-uploader

49. https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10

50. Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling […]. We were not using Codecov on any CI server used for product code. https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/

51. While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

52. https://news.ycombinator.com/item?id=26819983

53. Homebrew In the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project. https://blog.ryotak.me/post/homebrew-security-incident-en/

54. Homebrew This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.

55. Homebrew By abusing it, an attacker could execute arbitrary Ruby codes on users' machine who uses brew. The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically

56. Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/

57. We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry.

58. This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously.

59. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020

60. Ruby Gems An ordering mistake in the code that accepts gem uploads allowed some gems […] to be temporarily replaced in the CDN cache by a malicious package https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w

61. Ruby Gems 1. An attacker could guess the next version number, and create a gem with the name sorbet-static-0.5.9996-universal- darwin and version number 20.

62. Ruby Gems 2. With a crafted invalid gemspec, it was possible to coerce RubyGems.org to save that gem to S3 without creating a matching database record.

63. Ruby Gems 3. Later, the real sorbet-static gem would release version 0.5.9996 as usual, and the attacker-controlled file would be overwritten on S3.

64. Ruby Gems 4. However, if the attacker had already primed the Fastly CDN cache by requesting their malicious gem, Fastly would continue to serve the old, malicious package.

65. Attacks on infrastruct ure https://flickr.com/photos/quinnanya/

66. Attacks on infrastructure • PHP • GitHub

67. Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). https://news-web.php.net/php.internals/113838

68. Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH […] but also via HTTPS. The latter did not use gitolite, and instead used git-http- backend behind Apache2 Digest authentication against the master.php.net user database. https://news-web.php.net/php.internals/113981

69. It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked

70. The master.php.net system, which is used for authentication and various management tasks, was running very old code on a very old operating system / PHP version, so some kind of vulnerability would not be terribly surprising.

71. On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

72. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

73. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.

74. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.

75. On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. https://status.heroku.com/incidents/2413

76. On that same day, the threat actor downloaded data from another database that stores pipeline-level config vars for Review Apps and Heroku CI. Additionally, another small subset of Heroku users had their Heroku tokens exposed in a config var for a pipeline.

77. On April 15, 2022, Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token. https://blog.travis-ci.com/2022-04-17-securitybulletin

78. Upon further review that same day, Travis CI personnel learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.

79. Travis CI immediately revoked all authorization keys and tokens preventing any further access to our systems. No customer data was exposed and no further access was possible.

80. https://flickr.com/photos/143106192@N03/

81. Libraries

82. Libraries • Awareness

83. Libraries • Awareness • No typos ;)

84. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies

85. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources

86. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install

87. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)

88. Enforcing 2FA • Top 100 packages • Started on: 1.02.2022 • Packages classified as critical: ~4000 • Started on: 8.07.2022 • Top 100 packages • Started on: 15.08.2022

89. Enforcing 2FA https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1?from_ts=1662376975438&to_ts=1662463375438&live=true

90. Enforcing 2FA https://pypistats.org/packages/atomicwrites

91. What can go wrong with enforcing 2fa? https://github.com/untitaker/python-atomicwrites/issues/61

92. atomicwrites I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.

93. Libraries • Awareness • No typos ;) • Use tools to detect malicious dependencies • Download from official sources • When not sure do not install • Enable 2FA (as a maintainer)

94. Tools

95. Tools • I will not download and run scripts directly from the net

96. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files

97. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources

98. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed

99. Tools • I will not download and run scripts directly from the net • I will verify checksums and signatures of downloaded files • I will install only from official sources • I will update frequently what I’ve already installed

100. Infrastructure

101. Infrastructure • Keep good inventory, especially of what is in the clouds

102. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused

103. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations

104. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues)

105. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor

106. Infrastructure • Keep good inventory, especially of what is in the clouds • Disable/shutdown what’s unused • Secure configurations • Frequently update (to fix known issues) • Monitor, monitor, monitor

107. 2023? • Google Assured Open Source Software • Google Software Delivery Shield • Widespread MFA adoption • Built-in detection of typosquatting

108. https://www.linkedin.com/in/molejarka/ https://twitter.com/molejarka

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

Estás leyendo una previsualización.

Eche un vistazo a continuación

Developer in a digital crosshair, 2022 edition - Oh My H@ck!

Más Contenido Relacionado

Más de SecuRing (20)

Más reciente (20)