A team of security researchers has detailed a supply chain attack technique called Dependency Confusion or a Substitution Attack, which can attack hybrid package manager configurations inside large corporations.
Poison for app-building process
The Dependency Confusion technique revolves around concepts such as package managers, public and private package repositories, and build processes.
Researchers have proved that using this technique threat actors can sneak their malicious code inside private code repositories after learning and registering internal library names on public package indexes.
This technique creates a high risk for tech firms that rely on public package portals, such as npm, PyPI, RubyGems, JFrog, and NuGet, to download and import libraries for the app-building process.
Researchers were successful in loading their (non-malicious) code inside apps used by 35 major tech firms, such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, after using names of various (leaked) internal libraries on package repositories.
After the research team's work went public, Microsoft published a white paper identifying the issue as CVE-2021-24105 for their Azure Artifactory product, providing a series of mitigations that companies can apply to avoid such attacks. In addition, the researcher received a bug bounty amount of $40,000.
Recent supply chain attacks
A few days ago, a supply chain attack campaign dubbed Operation Nightout was targeting Asian gamers. It abused the update mechanism of NoxPlayer, an Android emulator for Macs and PCs.
Besides the massive SolarWinds attacks, there have been several other supply chain attacks that have targeted a large number of federal and private agencies in the past two months.
Supply chain attacks are proving to be a major threat time and again. Companies are recommended to use controlled scopes on public package repositories to protect their private packages. To avoid any malicious intrusion attempt, client-side verification features such as version pinning and integrity verification can be helpful.