Security researchers has detailed a supply chain attack technique called Dependency Confusion or a Substitution Attack, which can attack hybrid package manager configurations inside large corporations.
The Dependency Confusion technique revolves around concepts such as package managers, public and private package repositories, and build processes.
- Researchers have proved that using this technique threat actors can sneak their malicious code inside private code repositories after learning and registering internal library names on public package indexes.
- This technique creates a high risk for tech firms that rely on public package portals, such as npm, PyPI, RubyGems, JFrog, and NuGet, to download and import libraries for the app-building process.
- Researchers were through in loading their (non-malicious) code inside apps used by 35 major tech firms, such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, after using names of various internal libraries on package repositories.
Once this made public Microsoft published a white paper identifying the issue as CVE-2021-24105 for their Azure Artifactory product, providing a series of mitigations that companies can apply to avoid such attacks. In addition, the researcher received a bug bounty amount of $40,000.
Recent supply chain attacks
- A supply chain attack campaign operation nightout was targeting Asian gamers. It abused the update mechanism of NoxPlayer, an Android emulator for Macs and PCs.
- Massive SolarWinds attack, there have been other supply chain attacks that have targeted a large number of federal and private agencies in the past two months.
Supply chain attacks are proving to be a major threat time and again. Companies are recommended to use controlled scopes on public package repositories to protect their private packages. To avoid any malicious intrusion attempt, client-side verification features such as version pinning and integrity verification can be helpful.