Dependency confusion attacks are no longer just proof-of-concept. Amazon, Slack and others are being targeted by threat actors in a new attack.
Previously, we reported on a novel proof-of-concept attack conducted by an ethical hacker. Alex Birsan received bug bounties for his ability to breach more than 35 companies in his PoC attack, labeled “dependency confusion,” and that research is now being used by threat actors. Large corporations like Amazon, Slack, Zillow and Lyft have been targeted to steal Linux/Unix password files and open reverse shells back to the attackers.
The flaw being exploited is called “dependency confusion” for a reason. What attackers do is create a package that utilizes the same name as a company’s internal repository. When that new package is created on a public repository, dependency managers end up using the public packages instead of the company’s internal packages. With this confusion, threat actors can inject malicious code into an internal application. Bleeping Computer has a nice breakdown of how the threat actors are adapting the code used by Birsan, but they are largely starting with his research as the base.
Considering that these repositories are public and anyone can access them, it will be easy for other threat actors to continue this type of an attack. It’s likely that we will continue to see it until businesses catch up and implement the fixes laid out by their open-source provider, which involves developers securing configuration files.
When we discussed this research after Birsan shared it publicly, we also urged businesses to implement the fix that was laid out. This is why. Threat actors know that businesses put off security, they know that security is an afterthought and that it is viewed as less than important. All of those thought processes are WRONG. This particular attack is incredibly scary for businesses. They have no control over whose credentials are taken, which means they have no way to know what systems could potentially be exposed. Addressing that issue is going to be way more expensive and vastly more time consuming than simply securing configuration around specific components.
Remember, if you haven’t conducted a security review in the last six months, it needs to be done. Likewise, any additional known vulnerabilities that haven’t yet been patched should be patched as soon as possible. Dependency confusion is a real problem with potentially harmful results. And if a threat actor breaches your business with this attack and you haven’t fixed the issue, guess who gets to pay for all of that damage? Yep, you do. Or, rather, your business does. Fines from compliance bodies, reparations to customers, loss of customers due to loss of trust, legal fees and anything else associated with the breach falls squarely on the shoulders of your business.
As a business owner or business leader, it is your job to ensure the security of not just your business, but your customer and employee information as well. This really isn’t something that can wait, regardless of the reason. If you can’t get to it, you don’t have the know-how or ability, or there’s some other reason you haven’t gotten it done yet, we implore you to consult an expert. Bring someone in who can help, who can handle it for you and ensure it’s done properly. As a business leader or business owner, you have more than just security to worry about, that’s understandable. But you simply cannot ignore it any longer.