Researcher Hacks Microsoft and Apple Using "Dependency Confusion" 😕, Fake Chrome Extensions Steal Credentials 🌐, US Town's Water Supply Hacked 🚰

CyberLite Feb 16, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!


😕 Security Researcher Hacks into Apple, Microsoft and Dozens of Companies Using “Dependency Confusion”

Alex Birsan disclosed this week a novel attack technique that he called dependency confusion.

So What’s That?

The vast majority of software today uses functionality from third-party packages, also known as dependencies. Some programming languages, like Python, have official tools for installing these packages. These tools link to public online repositories, which are large collections of packages that anyone can upload a package to. For example, Python uses the pip tool to install packages from the PyPI (Python Package Index).

Developers also create their own private packages; these aren’t found on public package repositories and are hosted internally on an organization’s servers. It’s very common for programs to use a combination of public and private dependencies - this is what Alex Birsan was able to exploit.

Alex found out the names of the private packages used by an organization then created a fake copy on a public repository. Then when an organization used tools like pip to install packages, Alex’s fake packages were installed instead of the organization’s private ones. This is because many package installers simply install the package with the highest version and don’t prioritize private packages - so by setting the version number of his fake packages very high he was able to nearly always overwrite an organization’s private packages.

To get an idea of the potential impact that these types of attacks can have it’s important to understand just how frequently packages are downloaded. Over a billion packages are downloaded daily from npm, which is the world’s largest package repository.

Who Was Affected

The list of companies that Alex was able to hack and the speed at which he did it is pretty mind-boggling. Within hours of uploading a fake Ruby package named “shopify-cloud” the package had already been run by Shopify, the Canadian e-commerce giant. Alex detected the vulnerability in 35 organizations including Netflix, Yelp, Uber, Apple and Paypal.

Protecting Against Dependency Confusion

Microsoft published a whitepaper in response to Alex’s disclosure giving organizations advice on combatting these types of attacks. The key takeaway is to make sure that any details about your private packages aren’t available publically. For example, a common practice for Javascript is to have a file called package.json that contains the names of all the dependencies you’re using - many affected organizations had their package.json files viewable on sites like GitHub.


🌐 Chrome Extensions Back at it Again

The discovery of malicious extensions in the Chrome Web Store has been a common occurrence recently, for example, the recent discovery of “messaging” extensions stealing Facebook data. But this week brought a new way in which extensions could be exploited by cybercriminals.

In the attack technique disclosed this week, Chrome extensions aren’t being used to gain access to a user’s system, they were used to communicate with systems that attackers already had access to.

Attackers directly installed Chrome extensions from a folder on the victims’ computers, rather than installing them from the Chrome Web Store. They then abused the fact that extensions store and sync data using a Google account. If the attacker signs into Chrome on the compromised system then any data that the extension stores will be synced to their Google account. To retrieve that data the attacker can just sign-in to Chrome using that same account on any computer. This provides an easy way for an attacker to get small amounts of data backwards and forwards.


🎣 Phishing Tool U-admin Author Arrested

The FBI and Australian Authorities arrested the author of the popular phishing tool U-admin this week. U-admin could be used to create fake phishing webpages and track victims. Its unique feature was that it allowed attackers to modify webpages whilst users were on them.

This opened up lots of possibilities for attackers, namely making it easy to collect Two-factor authentication (2FA) codes that had been sent to a user’s device. An attacker could get a victim to enter their password into the phishing site and use these credentials to log-in to their account. Then when the legitimate site sends the victim a 2FA code the attacker can update their phishing site with a new window asking the victim to enter this code, enabling the attacker to steal the code and use it to log in themselves.

A demonstration video showing the real-time editing capabilities of the U-Admin phishing kit. Credit: blog.bushidotoken.net

🚰 Water Chemical Levels Modified by a Hacker in US Town

The Florida County Sheriff Bob Gualtieri held a news conference this week about an attempt to poison the water supply of the town of Oldsmar.

The attack was poorly carried out and was very easy to detect, but the ease with which it was possible raises a few alarm bells. The attacker raised the level of sodium hydroxide in the water to 100 times the normal level - something the system wasn’t capable of doing, hence it was immediately obvious that something had been tampered with. It is presumed that the hacker found the credentials required to do this leaked somewhere online.

Whilst this attack had no impact and was quickly remediated it highlights that many facilities like this are unattended, underfunded, and don’t have someone watching their IT operations 24/7. Systems that have an impact on public safety need to have robust and secure safety systems, as the next attack might not be so obvious.


🔥 Rapid Fire

Some shorter stories…

📱 Hackers altered an update to a popular android barcode scanning app to make ads pop-up constantly for millions of users. Another example of hackers targeting an organization’s update infrastructure as a means of inserting their own code. Link.

💳 Credit card skimmers are popular types of malware that steal credit card details online. Malwarebytes this week reported a new type of skimmer that searched for sites that were already infected with other popular skimmers - and just copied the stolen card details from them. Work smarter not harder. Link.

🛑 Twitter was forced to block hundreds of accounts this week after the Indian government threatened legal action against its employees. Twitter certainly wasn’t happy about complying with the request, finishing their blogpost with “We remain committed to safeguarding the health of the conversation occurring on Twitter, and strongly believe that the Tweets should flow.” These types of requests are going to keep coming; deciding how social media companies should handle them is going to remain a hot topic. Link

🎮 CD Project Red, the largest video game company in Europe experienced a ransomware attack this week. After the company refused to pay the ransom, the source code of their most popular games was put up for auction online starting at £1 million. There has been little interest thus far; many have questioned what value the code has. Gaming companies are increasingly targetted for ransomware as they store lots of valuable customer data, but the attackers didn’t get hold of any this time. Link.

🔐 Security firm Proofpoint registered domains such as facbook-login.com and facbook-login.net to train users to detect phishing scams. Facebook wasn’t a big fan so forced the domain name registrar Namecheap to hand over control of the domains to them. Proofpoint is suing Facebook to regain control of the domains. There’s an interesting precedent to be set here one way or another. Link.

📞 A European crime gang that stole $100 million from celebrities using a technique known as sim-swapping has been arrested. Sim-swapping involves convincing a mobile service provider to swap a phone number from one SIM card to another - in this case onto a SIM card owned by the criminals. The criminal can then use this SIM card to receive authentication codes for bank accounts and other online accounts. Link.


🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week - we had February's Patch Tuesday last week so there’s lots to dive into! Patch Tuesday is when Microsoft and other software makers like Adobe all release security updates - it’s the second Tuesday of each month.

Microsoft fixed 56 security holes with nine earning the most urgent critical rating. One flaw was being exploited in the wild and allowed attackers to escalate their privilege on a device if they already had access to it. A DNS server bug gained the critical rating as it allowed arbitrary software to be installed. Link.

Adobe fixed a heap buffer overflow vulnerability that was being exploited in the wild to execute arbitrary code. Link.

Intel issued fixes for five high severity vulnerabilities in its graphics drivers. Attackers could exploit these flaws to escalate their privileges, steal sensitive data or launch denial-of-service attacks. Link.

Another week, another vulnerable Wordpress plug-in. Up this week is the NextGen Gallery Plug-in. It contained a cross-site request forgery flaw (CSRF). A full explainer for this type of vulnerability can be found in this week’s guide. Link.

SAP (A leading cloud software provider) disclosed a critical vulnerability in its SAP Commerce Platform which could be exploited to give an attacker remote code execution. SAP claims to have over 200 million users across all of its platforms. Link.


💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

🗝 Authentication certainly isn’t just a modern problem, here’s a Twitter thread about medical authentication techniques. Link.

💰 A research group estimated that ransomware revenue for 2020 was at least £350 million, four times more than in 2019. Link.

🐛 bugbountyhunting.com is a massive collection of write-ups from security researchers about how they found vulnerabilities in popular platforms. This is a great resource for seeing how different types of vulnerabilities are discovered/exploited. Link.


❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!


🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!

Oli

Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.