NPM Dependency Confusion Attack Targets Amazon, Slack

Posted inBusiness, Cyber Security, Security

Dependency confusion attacks are no longer just proof-of-concept. Amazon, Slack and others are being targeted by threat actors in a new attack.

Previously, we reported on a novel proof-of-concept attack conducted by an ethical hacker. Alex Birsan received bug bounties for his ability to breach more than 35 companies in his PoC attack, labeled “dependency confusion,” and that research is now being used by threat actors. Large corporations like Amazon, Slack, Zillow and Lyft have been targeted to steal Linux/Unix password files and open reverse shells back to the attackers.

The flaw being exploited is called “dependency confusion” for a reason. What attackers do is create a package that utilizes the same name as a company’s internal repository. When that new package is created on a public repository, dependency managers end up using the public packages instead of the company’s internal packages. With this confusion, threat actors can inject malicious code into an internal application. Bleeping Computer has a nice breakdown of how the threat actors are adapting the code used by Birsan, but they are largely starting with his research as the base.

Considering that these repositories are public and anyone can access them, it will be easy for other threat actors to continue this type of an attack. It’s likely that we will continue to see it until businesses catch up and implement the fixes laid out by their open-source provider, which involves developers securing configuration files.

When we discussed this research after Birsan shared it publicly, we also urged businesses to implement the fix that was laid out. This is why. Threat actors know that businesses put off security, they know that security is an afterthought and that it is viewed as less than important. All of those thought processes are WRONG. This particular attack is incredibly scary for businesses. They have no control over whose credentials are taken, which means they have no way to know what systems could potentially be exposed. Addressing that issue is going to be way more expensive and vastly more time consuming than simply securing configuration around specific components.

Remember, if you haven’t conducted a security review in the last six months, it needs to be done. Likewise, any additional known vulnerabilities that haven’t yet been patched should be patched as soon as possible. Dependency confusion is a real problem with potentially harmful results. And if a threat actor breaches your business with this attack and you haven’t fixed the issue, guess who gets to pay for all of that damage? Yep, you do. Or, rather, your business does. Fines from compliance bodies, reparations to customers, loss of customers due to loss of trust, legal fees and anything else associated with the breach falls squarely on the shoulders of your business.

As a business owner or business leader, it is your job to ensure the security of not just your business, but your customer and employee information as well. This really isn’t something that can wait, regardless of the reason. If you can’t get to it, you don’t have the know-how or ability, or there’s some other reason you haven’t gotten it done yet, we implore you to consult an expert. Bring someone in who can help, who can handle it for you and ensure it’s done properly. As a business leader or business owner, you have more than just security to worry about, that’s understandable. But you simply cannot ignore it any longer.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY