Monday, July 26, 2021
All countries COVID-19 Cases
195,064,208
Total confirmed cases
Updated on July 26, 2021 5:23 PM

Microsoft Successfully Hit By Dependency Hijacking Again

Must Read
- Advertisement -
Writer

Once again, Microsoft has been successfully hit by a dependency hijacking attack.

Previously, as BleepingComputer first reported, an investigator had ethically hacked more than 35 major technology companies, including Microsoft, by exploiting a weakness called “dependency confusion.”

This month, another researcher found an internal dependency on npm, after taking the place, he started receiving messages from Microsoft’s servers.

Mysterious “quick search” dependency hijacked

Last week, researcher Ricardo Iramar dos Santos was auditing an open source package SymphonyElectron for errors, which is when you came across a mysterious dependency used by the package.

This dependency was called “quick search, “but this package was not available to the public npmjs.com record.

A quick npm internal dependency search
A quick search for internal npm dependency used by the OSS project (GitHub)

Realizing this, dos Santos registered a package with the same name in the npm registry, with his custom code (shown below in this article).

Previous Bleeping Computer articles on dependency confusion explain that the term represents an inherent weakness in various open source repository managers when it comes to retrieving specified dependencies for a software package.

If a project uses an internally created private dependency and a dependency with the same name also exists in a public repository, this would create “confusion” for development tools as to which dependency is referenced.

As such, the public dependency with the same name would be brought into the development environment instead of the intended private dependency.

“Dependency confusion” or hijacking attacks therefore allow attackers to inject their malicious code into an internal application in an automated supply chain attack.

In March this year, attackers took advantage of this technique to target prominent companies with malicious code, expanding the scope of this weakness beyond benign bug bounty research.

The falsified version of the “quick search” package published by dos Santos as part of this investigation has been remote from the npm public registry.

However, as a Sonatype security researcher, I was able to obtain a version of Sonatype’s automated malware detection systems, where it had been flagged as ‘malicious’ in April 2021:

quick search package.json
Inside the Investigator Quick Search Unit posted on npmjs.com (Computer ringing)

The code contained in the dos Santos package accesses confidential parameters of a system vulnerable to dependency confusion and uploads them to the researcher’s PoC server.

These fields and files include:

  1. System hostname and account username
  2. Environment variables (env)
  3. Information about the name and version of the operating system
  4. System public IP address (IPv4 or IPv6)
  5. / etc / hosts file
  6. / etc / passwd file
  7. / etc / shadow file

Hacked Microsoft Halo game server responds

Within hours of posting the package to the npm log, the researcher noticed that he was receiving ping-backs from Microsoft’s servers.

“The DNS queries came from 13.66.137.90, which is a Microsoft DNS server, and then a POST request from 51.141.173.203, which is also a Microsoft (United Kingdom) IP address,” explains dos Santos in his blog post.

The researcher claims that upon accessing https://51.141.173.203 he was presented with an SSL certificate that lists Microsoft as the organization, with the Common Name (CN) field listed * .test.svc.halowaypoint.com.

The Dominion halowaypoint.com represents the Halo video game series, published by Microsoft’s Xbox Game Studios.

This further confirmed the investigator’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the investigator contacted Microsoft.

Some of the data returned by the Microsoft server included the system username, paths to application development environments, various IDs, and so on.

Although, as shown in the code above, the researcher also tried to access confidential files on the system, including: / etc / passwd other / etc / shadow.

DEPLOYMENT_BASEPATH = / opt / corridor
USER = broker
npm_config_user_agent = npm / 6.14.12 node
/v12.22.1 linux x64 ci / github-actions
GITHUB_ENV = / home / corridor / work / _temp /
_runner_file_commands / set_env_73c3242d-
3ebe-4fef-b35e-4c01f044ff0b
PIPX_HOME = / opt / pipx
GRAALVM_11_ROOT = / usr / local / graalvm
/graalvm-ce-java11-21.0.0.2
AZURE_EXTENSION_DIR = / opt / az
/ azcliextensions
npm_package_description = quick search
ImageVersion = 20210412.1
SWIFT_PATH = / usr / share / swift / usr / bin
GITHUB_RUN_ID = 773121366
GOROOT_1_16_X64 = / opt / hostingtoolcache / go
/1.16.3/x64
ANT_HOME = / usr / share / ant
RUNNER_TRACKING_ID = github_ade7a12e-
905e-4b34-b09e-b3ddda770183
HOMEBREW_CELLAR = “/ home / linuxbrew
/.linuxbrew/Cellar “
npm_package_name = quick search

As confirmed by Bleeping Computer, the SSL certificates present in halowaypoint.com The subdomains list Microsoft Corporation as the organization behind these, and the WHOIS records for 51.141.173.203 also list Microsoft as the responsible organization.

Microsoft appears on SSL certificate
Subdomains of * .halowaypoint.com list Microsoft as the organization (Computer ringing)

That said, we couldn’t find a reverse lookup record that directly associates the 51.141.173.203 IP address with a Microsoft domain or SSL certificate, indicating that the IP may have been disconnected, following the researcher’s report.

BleepingComputer reached out to Microsoft for comment and they told us:

“We investigated and determined that the underlying issue had already been addressed prior to the report,” a Microsoft spokesperson told BleepingComputer.

Additionally, the company claims that this report referenced a brief issue introduced by a third-party change, and there is no indication of any impact on the customer.

Over the last year, attacks on open source repositories, including npm, PyPI, and RubyGems, have shown a steady increase.

Now, with the confusion of reliance on the mix and actors actively posting thousands of knockoff packages For these ecosystems, an additional challenge has emerged for organizations and repository maintainers to curb malicious activity.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

SUGGESTED NEWS
- Advertisement -
Latest News

The federal government gives the green light to the National Bank Open

The federal government and the Public Health Agency of Canada approved Tennis Canada's plans to host the National...
- Advertisement -

More Articles Like This

- Advertisement -