Once again, Microsoft has been successfully hit by a dependency hijacking attack.
Previously, as BleepingComputer first reported, an investigator had ethically hacked more than 35 major technology companies, including Microsoft, by exploiting a weakness called “dependency confusion.”
This month, another researcher found an internal dependency on npm, after taking the place, he started receiving messages from Microsoft’s servers.
Mysterious “quick search” dependency hijacked
Last week, researcher Ricardo Iramar dos Santos was auditing an open source package SymphonyElectron for errors, which is when you came across a mysterious dependency used by the package.
This dependency was called “quick search, “but this package was not available to the public npmjs.com record.
Realizing this, dos Santos registered a package with the same name in the npm registry, with his custom code (shown below in this article).
Previous Bleeping Computer articles on dependency confusion explain that the term represents an inherent weakness in various open source repository managers when it comes to retrieving specified dependencies for a software package.
If a project uses an internally created private dependency and a dependency with the same name also exists in a public repository, this would create “confusion” for development tools as to which dependency is referenced.
As such, the public dependency with the same name would be brought into the development environment instead of the intended private dependency.
“Dependency confusion” or hijacking attacks therefore allow attackers to inject their malicious code into an internal application in an automated supply chain attack.
In March this year, attackers took advantage of this technique to target prominent companies with malicious code, expanding the scope of this weakness beyond benign bug bounty research.
The falsified version of the “quick search” package published by dos Santos as part of this investigation has been remote from the npm public registry.
However, as a Sonatype security researcher, I was able to obtain a version of Sonatype’s automated malware detection systems, where it had been flagged as ‘malicious’ in April 2021:
The code contained in the dos Santos package accesses confidential parameters of a system vulnerable to dependency confusion and uploads them to the researcher’s PoC server.
These fields and files include:
- System hostname and account username
- Environment variables (env)
- Information about the name and version of the operating system
- System public IP address (IPv4 or IPv6)
- / etc / hosts file
- / etc / passwd file
- / etc / shadow file
Hacked Microsoft Halo game server responds
Within hours of posting the package to the npm log, the researcher noticed that he was receiving ping-backs from Microsoft’s servers.
“The DNS queries came from 126.96.36.199, which is a Microsoft DNS server, and then a POST request from 188.8.131.52, which is also a Microsoft (United Kingdom) IP address,” explains dos Santos in his blog post.
The researcher claims that upon accessing https://184.108.40.206 he was presented with an SSL certificate that lists Microsoft as the organization, with the Common Name (CN) field listed * .test.svc.halowaypoint.com.
The Dominion halowaypoint.com represents the Halo video game series, published by Microsoft’s Xbox Game Studios.
This further confirmed the investigator’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the investigator contacted Microsoft.
Some of the data returned by the Microsoft server included the system username, paths to application development environments, various IDs, and so on.
Although, as shown in the code above, the researcher also tried to access confidential files on the system, including: / etc / passwd other / etc / shadow.
DEPLOYMENT_BASEPATH = / opt / corridor
USER = broker
npm_config_user_agent = npm / 6.14.12 node
/v12.22.1 linux x64 ci / github-actions
GITHUB_ENV = / home / corridor / work / _temp /
_runner_file_commands / set_env_73c3242d-
PIPX_HOME = / opt / pipx
GRAALVM_11_ROOT = / usr / local / graalvm
AZURE_EXTENSION_DIR = / opt / az
npm_package_description = quick search
ImageVersion = 20210412.1
SWIFT_PATH = / usr / share / swift / usr / bin
GITHUB_RUN_ID = 773121366
GOROOT_1_16_X64 = / opt / hostingtoolcache / go
ANT_HOME = / usr / share / ant
RUNNER_TRACKING_ID = github_ade7a12e-
HOMEBREW_CELLAR = “/ home / linuxbrew
npm_package_name = quick search
As confirmed by Bleeping Computer, the SSL certificates present in halowaypoint.com The subdomains list Microsoft Corporation as the organization behind these, and the WHOIS records for 220.127.116.11 also list Microsoft as the responsible organization.
That said, we couldn’t find a reverse lookup record that directly associates the 18.104.22.168 IP address with a Microsoft domain or SSL certificate, indicating that the IP may have been disconnected, following the researcher’s report.
BleepingComputer reached out to Microsoft for comment and they told us:
“We investigated and determined that the underlying issue had already been addressed prior to the report,” a Microsoft spokesperson told BleepingComputer.
Additionally, the company claims that this report referenced a brief issue introduced by a third-party change, and there is no indication of any impact on the customer.
Over the last year, attacks on open source repositories, including npm, PyPI, and RubyGems, have shown a steady increase.
Now, with the confusion of reliance on the mix and actors actively posting thousands of knockoff packages For these ecosystems, an additional challenge has emerged for organizations and repository maintainers to curb malicious activity.