At a glance.
- Exploiting dependency confusion.
- More Iranian cyberespionage.
- Unpatched vulnerabilities in popular Android app.
- Bazar phishing campaigns.
Exploiting dependency confusion.
Security researcher Alex Birsan describes how he exploited "dependency confusion" to hack into Apple, Microsoft, Netflix, PayPal, Uber, Yelp, and others (under the companies' bug bounty programs). Birsan took advantage of the fact that organizations often use a combination of open-source and custom-made packages in their code, and package managers will default to installing public packages. When he registered his own public dependencies with the same names as the private ones, the package manager would install those instead of the private ones.
Birsan first found a Node.js file from PayPal in a public GitHub repository that contained "a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal." He then created his own packages using the names of PayPal's non-public packages, and uploaded them to the public npm registry. As a result, Birsan's packages, which could run arbitrary code, overwrote PayPal's packages on the company's servers. Birsan then used DNS exfiltration to gather information about the compromised servers.
Birsan then searched for the names of private packages used by other companies, and found many of them exposed in package.json files used by JavaScript projects. Other sources included GitHub, major package hosting services, and posts on Internet forums:
"This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations.
"Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages — but this does not necessarily mean that Python and Ruby are less susceptible to the attack. In fact, despite only being able to identify internal Ruby gem names belonging to eight organizations during my searches, four of these companies turned out to be vulnerable to dependency confusion through RubyGems."
Birsan received $30,000 bug bounties from PayPal, Apple, Shopify, and a $40,000 bounty from Microsoft. He adds that "the majority of awarded bug bounties were set at the maximum amount allowed by each program’s policy, and sometimes even higher, confirming the generally high severity of dependency confusion bugs."
More Iranian cyberespionage.
Anomali says the suspected Iranian threat actor Static Kitten (also known as MuddyWater and Seedworm) is targeting the governments of Kuwait and the United Arab Emirates. The attackers delivered malicious ZIP files via URLs that spoofed the UAE National Council and the Ministry of Foreign Affairs (MOFA) of Kuwait. The purpose of the ZIP file is "to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties." The download URLs were contained in geopolitical-themed documents sent via phishing emails. Anomali believes data theft is the primary goal of the operation.
The researchers also speculate on possible motives for the campaign, writing, "In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia. Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side. In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub."
Unpatched vulnerabilities in popular Android app.
Researchers at Trend Micro uncovered vulnerabilities in SHAREit, an Android file-transfer app with more than one billion downloads from the Google Play Store. The vulnerabilities could lead to data theft or remote code execution. Malicious apps or attackers on the network can invoke SHAREit's internal components to extract data or overwrite files. Trend Micro adds, "SHAREit is also susceptible to a man-in-the-disk (MITD) attack. This Is because when a user downloads the app in the download center, it goes to the directory as shown in the sample code. The folder is an external directory, which means any app can access it with SDcard write permission."
The researchers conclude, "We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable."
Bazar phishing campaigns.
Fortinet warns that a new variant of the Bazar Trojan is being distributed via phishing emails with executable files disguised as PDFs. Researchers at Cofense are also tracking Bazar phishing campaigns, outlining a scheme that uses a phony Office Supply invoice to trick recipients into entering their order number, visiting a spoofed website, and finally downloading a malicious Excel document.