Microsoft Successfully Hit by A Dependency Hijacking Attack Again
Cybercriminals Are Using This Technique to Target Prominent Companies with Malicious Code.
Last updated on June 29, 2021
Today, news broke that security researcher Ricardo Iramar dos Santos found an npm internal dependency while auditing an open-source SymphonyElectron package for bugs.
Although the dependency was called “swift-search,” this package wasn’t present on the public npmjs.com registry. Using his custom code, dos Santos registered a package by the same name on the npm registry.
Dependency confusion (dependency hijacking attack) is a vulnerability that can allow an attacker to execute malware within a company’s networks by overriding privately-used dependency packages with malicious, public packages of the same name.
Often, developers’ software management apps favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. Alex Birsan, the researcher who tricked Apple and other 34 companies into running the proof-of-concept packages he uploaded to npm and PyPi, dubbed the new type of supply chain attack dependency confusion or namespace confusion because it relies on software dependencies with misleading names.
As reported by BleepingComputer, earlier this year threat actors conducted dependency hijacking attacks to target prominent companies with malicious code, expanding the scope of this weakness beyond benign bug bounty research.
The counterfeit version of the “swift-search” package has long been removed from the public npm registry.
The code from dos Santos’ package accesses sensitive parameters from a system vulnerable to dependency confusion and uploads these to his PoC server.
These fields and files include:
System hostname and account username
Environment variables (env)
OS name and version information
System’s public IP address (IPv4 or IPv6)
Hours after publishing the package to the npm registry, the researcher noticed receiving messages from Microsoft’s servers.
The DNS queries were coming from 126.96.36.199 which is a Microsoft DNS server and after that a POST request from 188.8.131.52 which is also an IP address from Microsoft (UK). By accessing https://184.108.40.206 I noticed the certificate CN field was pointing to “*.test.svc.halowaypoint.com” which confirms this is a Microsoft service.
The halowaypoint.com domain is the Halo video game series, published by Microsoft’s Xbox Game Studios, confirming the researcher’s suspicions that a Microsoft server had been hit by his dependency hijacking attack.
The researcher contacted Microsoft, but so far received no reply.
Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.