Connect with us

Tech

Microsoft’s Halo development site breached by dependency hijacking

Published

on

Microsoft’s Halo development site breached by dependency hijacking

Once again, Microsoft has been successfully hit by a dependency hijacking attack.

Previously, as BleepingComputer first reported, an investigator had ethically hacked more than 35 major technology companies, including Microsoft, by exploiting a weakness called “dependency confusion.”

This month another researcher found an internal npm dependency used by an open source project.

After posting a public dependency with the same name, he began receiving messages from Microsoft’s Halo game development servers.

Mysterious “quick search” dependency hijacked

Last week, researcher Ricardo Iramar dos Santos was auditing an open source package SymphonyElectron for errors, which is when you came across a mysterious dependency used by the package.

This dependency was called “quick search, “but this package was not available to the public npmjs.com record.

A quick npm internal dependency search
A quick search for internal npm dependency used by the OSS project (GitHub)

Realizing this, dos Santos registered a package with the same name in the npm registry, with his custom code (shown below in this article).

Previous Bleeping Computer articles on dependency confusion explain that the term represents an inherent weakness in various open source repository managers when it comes to retrieving specified dependencies for a software package.

If a project uses an internally created private dependency and a dependency with the same name also exists in a public repository, this would create “confusion” for development tools as to which dependency is referenced.

As such, the public dependency with the same name would be brought into the development environment instead of the intended private dependency.

“Dependency confusion” or hijacking attacks therefore allow attackers to inject their malicious code into an internal application in an automated supply chain attack.

In March this year, attackers took advantage of this technique to target prominent companies with malicious code, expanding the scope of this weakness beyond benign bug bounty research.

The falsified version of the “quick search” package published by dos Santos as part of this investigation has been remote from the npm public registry.

However, as a Sonatype security researcher, I was able to obtain a version of Sonatype’s automated malware detection systems, where it had been flagged as ‘malicious’ in April 2021:

quick search package.json
Inside the Investigator Quick Search Unit posted on npmjs.com (Computer ringing)

The code contained in the dos Santos package accesses confidential parameters of a system vulnerable to dependency confusion and uploads them to the researcher’s PoC server.

These fields and files include:

  1. System hostname and account username
  2. Environment variables (env)
  3. Information about the name and version of the operating system
  4. System public IP address (IPv4 or IPv6)
  5. / etc / hosts file
  6. / etc / passwd file
  7. / etc / shadow file

Hacked Microsoft Halo game server responds

Within hours of posting the package to the npm log, the researcher noticed that he was receiving ping-backs from Microsoft’s servers.

“The DNS queries came from 13.66.137.90, which is a Microsoft DNS server, and then a POST request from 51.141.173.203, which is also a Microsoft (United Kingdom) IP address,” explains dos Santos in his blog post.

The researcher claims that upon accessing https://51.141.173.203 he was presented with an SSL certificate that lists Microsoft as the organization, with the Common Name (CN) field listed * .test.svc.halowaypoint.com.

The Dominion halowaypoint.com represents the Halo video game series, published by Microsoft’s Xbox Game Studios.

This further confirmed the investigator’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the investigator contacted Microsoft.

Some of the data returned by the Microsoft server included the system username, paths to application development environments, various IDs, and so on.

Although, as shown in the code above, the researcher also tried to access confidential files on the system, including: / etc / passwd other / etc / shadow.

dependency confusion output
Some of the fields obtained by the researcher from Microsoft servers

As confirmed by Bleeping Computer, the SSL certificates present in halowaypoint.com The subdomains list Microsoft Corporation as the organization behind these, and the WHOIS records for 51.141.173.203 also list Microsoft as the responsible organization.

Microsoft appears on SSL certificate
Subdomains of * .halowaypoint.com list Microsoft as the organization (Computer ringing)

That said, we couldn’t find a reverse lookup record that directly associates the 51.141.173.203 IP address with a Microsoft domain or SSL certificate, indicating that the IP may have been disconnected, following the researcher’s report.

BleepingComputer reached out to Microsoft for comment and they told us:

“We investigated and determined that the underlying issue had already been addressed prior to the report,” a Microsoft spokesperson told BleepingComputer.

Additionally, the company claims that this report referenced a brief issue introduced by a third-party change, and there is no indication of any impact on the customer.

Over the last year, attacks on open source repositories, including npm, PyPI, and RubyGems, have shown a steady increase.

Now, with the confusion of reliance on the mix and actors actively posting thousands of knockoff packages For these ecosystems, an additional challenge has emerged for organizations and repository maintainers to curb malicious activity.

Advertisement
Advertisement

Lifestyle

LifeStyle3 days ago

How to Prioritize Self Care as a New Parent

A bundle of joy has joined you in your life and you couldn’t be happier. But, at the same time,...

LifeStyle3 days ago

5 Reasons Why You Can’t Stay Asleep

You have likely heard it most of your life: getting a good night’s sleep is important for your overall health....

LifeStyle6 days ago

4 Ways to Spread Joy This Fall

Traditionally, many people strive to spread as much joy as they can in the weeks leading up to Christmas. But...

LifeStyle3 weeks ago

Tips to Boost Your Energy and Ensure Life Longevity with NMN Supplements

Australia’s median age limit increased by two years recently. Higher NAD+ can improve your metabolism rates and prolong natural aging....

LifeStyle2 months ago

5 Tips on Writing APA Research Paper

When students reach college education, they understand that it won’t all be flowers and sunshine. There are different courses with...

Support group for businesses to overcome challenges Support group for businesses to overcome challenges
LifeStyle2 months ago

Support group for businesses to overcome challenges

All-day brunch and soup kitchen Cafe Coco suffered as walk-ins dwindled significantly. It’s a tourist-dependent cafe that’s nestled in the...

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods S’pore startup Shiok Meats acquires clean red meat company Gaia Foods
LifeStyle2 months ago

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods

According to Technology in Asia, Shiok Meats has acquired a stake of more than 90% in Gaia Foods for an...

Marianna Hewitt’s home proves that neutral decor can be full of personality Marianna Hewitt’s home proves that neutral decor can be full of personality
LifeStyle2 months ago

Marianna Hewitt’s home proves that neutral decor can be full of personality

If anyone understands the importance of maintaining your brand, it is Marianna Hewitt. The trusted influencer and founder of the...

The 16 best stuffed pepper recipes for every occasion The 16 best stuffed pepper recipes for every occasion
LifeStyle2 months ago

The 16 best stuffed pepper recipes for every occasion

Something you may not know about me is that I absolutely adore a pepper. Raw, cooked, marinated, bathed: each and...

Top 10 Bedroom Plants That Work As Air Purifying Plants Top 10 Bedroom Plants That Work As Air Purifying Plants
LifeStyle2 months ago

Top 10 Bedroom Plants That Work As Air Purifying Plants

Setting a specific tone in a bedroom can happen in many ways. A beautiful candle, plush rugs, soft bedding, soothing...

Advertisement

Sport

Sports2 months ago

5 Tips for Setting Up Your PC for Online Gaming

Due to advances in technology, online gamers can enjoy a gaming experience that was unthinkable even a decade ago. High-resolution...

Sports2 months ago

How to Succeed in Poker Tournaments

Perhaps your first big poker tournament is coming up, or you’ve been gathering skills ready to enter – no matter...

Sports2 months ago

Is The Olympics Still Relevant?

As the Tokyo Olympics has come to a close, competitors must move on from the excitement of experiencing an Olympic...

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’ Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’
Sports2 months ago

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’

var adServerUrl = “”; var $ el = $ (“# video_container-985707”); var permalink = $ el.closest (‘. snet-single-article’). data (‘permalink’);...

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker Tammy Abraham to Roma – Mourinho is the perfect coach for the striker
Sports2 months ago

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker

It seems that not too long ago, a young English Target Man was a troubling prospect for most Premier League...

Explanation: Why Barcelona had to let Messi go Explanation: Why Barcelona had to let Messi go
Sports2 months ago

Explanation: Why Barcelona had to let Messi go

Barcelona’s Argentine forward Lionel Messi cries during a press conference at Barcelona’s Camp Nou stadium on August 8, 2021. –...

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches? Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?
Sports2 months ago

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?

Manchester United, Manchester City, Liverpool, Chelsea, Spurs and Arsenal are the teams that are widely regarded as the top 6...

What should team Canada’s men’s hockey roster look like? What should team Canada’s men’s hockey roster look like?
Sports2 months ago

What should team Canada’s men’s hockey roster look like?

We have sent an email with instructions to create a new password. Your current password has not been changed. We...

Haaland, but staying in Dotmund, can BVB get the title on 21/22? Haaland, but staying in Dotmund, can BVB get the title on 21/22?
Sports2 months ago

Haaland, but staying in Dotmund, can BVB get the title on 21/22?

There are almost twenty days left in the transfer window. The window is in full swing as deals that would...

Knicks agree to deal with Dwayne Bacon: reports Knicks agree to deal with Dwayne Bacon: reports
Sports2 months ago

Knicks agree to deal with Dwayne Bacon: reports

Dwayne Bacon # 8 of the Orlando Magic shoots as John Collins # 20 of the Atlanta Hawks defends during...

Advertisement

Entertainment

Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block
Entertainment2 months ago

Venice adds Doc ‘Ennio’; Netflix Confirms Sanjay Leela Bhansali Series – News Block

Venice adds Giuseppe Tornatore’s Ennio Morricone film The Venice Film Festival incorporates the Out of Competition screening of Ennio Morricone’s...

The Jeffrey Epstein Victims Fund has finished paying $ 121 million The Jeffrey Epstein Victims Fund has finished paying $ 121 million
Entertainment2 months ago

The Jeffrey Epstein Victims Fund has finished paying $ 121 million

After awarding more than $ 121 million to about 150 applicants, a compensation program for survivors of Jeffrey Epstein’s sexual...

Matt Roloff and Karyn Chandler move in together, discuss marriage Matt Roloff and Karyn Chandler move in together, discuss marriage
Entertainment2 months ago

Matt Roloff and Karyn Chandler move in together, discuss marriage

Small people, big world star Matt Roloff and his girlfriend, Karyn Chandlerhave revealed their big summer plans in a new...

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’ Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’
Entertainment2 months ago

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’

Shouhed says his Shahs of Sunset co-star “cuts deep and says things that are hard to forgive.” While a sexting...

Joey Lawrence and Samantha Cope are engaged Joey Lawrence and Samantha Cope are engaged
Entertainment2 months ago

Joey Lawrence and Samantha Cope are engaged

He put a ring on it! Joey lawrence is engaged to the actress Samantha cope one year after filing for...

Christine Applegate was diagnosed with multiple sclerosis Christine Applegate was diagnosed with multiple sclerosis
Entertainment2 months ago

Christine Applegate was diagnosed with multiple sclerosis

August 10, 2021 Christine Applegate was diagnosed with multiple sclerosis (MS). Christina Applegate The 49-year-old actress took to Twitter on...

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block
Entertainment2 months ago

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block

EXCLUSIVE: UK advertisers Donna Mills and Emma Jackson, longtime representatives of London-based Premier Communications, have launched the new advertising agency...

Christina Applegate: actress reveals multiple sclerosis diagnosis Christina Applegate: actress reveals multiple sclerosis diagnosis
Entertainment2 months ago

Christina Applegate: actress reveals multiple sclerosis diagnosis

prime time Emmy-winning actor Christina applegate has revealed a multiple sclerosis condition through a Twitter post late on Monday night....

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018 Prince Harry and Meghan Markle wanted to move to New Zealand in 2018
Entertainment2 months ago

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018

Prince harry and Meghan Markle according to Queen Elizabeth IIRepresentative to New Zealand, Governor General Patsy Reddy… She said Associated...

Alarming new UN climate report says humanity has really screwed itself up Alarming new UN climate report says humanity has really screwed itself up
Entertainment2 months ago

Alarming new UN climate report says humanity has really screwed itself up

The last evaluation of climate science is a “code red for humanity,” the United Nations chief said on Monday, while...

Advertisement

Tech

Tech1 day ago

How to Provide Cybersecurity for Firefox

Mozilla Firefox is one of the first browsers that come to mind when thinking about the best privacy-oriented browsers available...

Tech3 weeks ago

6 Important Questions to Ask Your Internet Provider

Choosing the best internet provider can be challenging, especially when you don’t know what questions to ask. You want to...

Tech4 weeks ago

How Serious is Plagiarism in College?

Studying in college often demands writing essays and course papers. You may study technical subjects and do not have many...

Tech4 weeks ago

Three Possible Ways of How You Can Transfer Contacts from Outlook to iPhone

MS Outlook plays an important role in putting daily life in order, especially with regard to email management. If you...

Tech4 weeks ago

Importance of Email Validation

According to recent stats, 30% of users change their email every year. Therefore, if your mailing list is more than...

Tech4 weeks ago

Before Doing Virtual Staging, Here’s What You Should Know

The majority of people today go online to look for homes. When a potential buyer spots a house online that...

Tech1 month ago

What Technologies are Online Casinos Using?

Online casinos have become an ideal choice for a lot of players, especially because they let players take their games...

Tech2 months ago

Grow Your Brand With These 5 Social Media Tips

Whether you’re operating a new business or working to grow your brand, social media is an excellent place to start....

Tech2 months ago

Is Mining Ethereum Still Profitable in 2021?

Globally, there have been lots of innovations and modernization in different aspects of life. This fact has contributed to the...

Tech2 months ago

Popularity Of the Blockchain Technology: How Familiar Are You with It?

Cryptocurrencies are a form of digital currency that stands out because it is decentralized. Cryptocurrency also stands out because it...

Advertisement
Advertisement