SlideShare uma empresa Scribd logo

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

Jarrod Overson
Jarrod Overson

Talk given at BSidesPDX on the node/npm event-stream exploit, how it worked, and what it did.

Tecnologia
1 de 97
Baixar para ler offline
Jarrod Overson - BSidesPDX Why are imitation attacks such a problem? Analysis of an OSS supply chain attack How did millions of developers download malicious code with no one noticing? Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX npm install [anything]
Jarrod Overson - BSidesPDX The threat is real And it's coming from inside the house.
Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
Jarrod Overson - BSidesPDX Who am I? • Director at Shape Security & Google Dev Expert. • Write/talk/record about JS reverse engineering & breaking web apps. • Old-school video game hacker. • @jsoverson most everywhere This guy
Jarrod Overson - BSidesPDX ?
Jarrod Overson - BSidesPDX Ever heard of YKK?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX You used Shape this week. We're the reason you log in a lot less and see fewer CAPTCHAs.
Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
Jarrod Overson - BSidesPDX JS It started with a package, event-stream
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX JS event-stream was maintained by prolific developer Dominic Tarr
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX JS Domenic gave ownership to right9ctrl in September of 2018 *
Jarrod Overson - BSidesPDX Q: Why?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX JS right9ctrl gained trust by committing several innocent changes. ...b550f5: upgrade dependencies ...37c105: add map and split examples ...477832: remove trailing in split example ...2c2095: better pretty.js example ...a644c5: update readme event-stream
Jarrod Overson - BSidesPDX JS On Sept 9 2018 right9ctrl added a new dependency and released version 3.3.6 JS v3.3.6 JS v0.1.0 flatmap-stream event-stream
Jarrod Overson - BSidesPDX About that caret...
Jarrod Overson - BSidesPDX Semantic Versioning (semver) Major.Minor.Patch e.g. 3.4.9 Breaking changes New features Bug fixes Increasing risk
Jarrod Overson - BSidesPDX Semver pattern matching Symbol Example Matches ^ ^0.1.0 0.*.* ~ ~0.1.0 0.1.*
Jarrod Overson - BSidesPDX JS right9ctrl then removed flatmap-stream and updated event-stream to v4.0.0. v4.0.0 event-stream
Jarrod Overson - BSidesPDX Note: Nothing malicious has emerged thus far.
Jarrod Overson - BSidesPDX Total time between first commit and v4.0.0? 12 days
Jarrod Overson - BSidesPDX JS On October 5th 2018 (T+31) flatmap-stream@0.1.1 was published. JS v3.3.6 v0.1.1 flatmap-stream event-stream JS v0.1.0
Jarrod Overson - BSidesPDX JS event-stream@3.3.6 installed fresh now pulls in flatmap-stream@0.1.1 because of the ^ JS v3.3.6 v0.1.1 flatmap-stream event-stream
Jarrod Overson - BSidesPDX event-stream@3.3.5 was stable for 2+ years. JSJS v3.3.6 event-stream
Jarrod Overson - BSidesPDX A LOT depended on event-stream^3.3.5 and would get updated to 3.3.6 automatically. JS JS JS JS JS JS JS JS JS
Jarrod Overson - BSidesPDX Time between flatmap-stream@0.1.1 and exposure: 48 days Time between malicious control and discovery: 77 days
Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
Jarrod Overson - BSidesPDX First, how was it discovered?
Payload A used a method deprecated in node v11.0.0
Node v11.0.0 was released 18 days into the exploit.
Unrelated projects started getting deprecation warnings.
Finally someone started putting it together.
Jarrod Overson - BSidesPDX So how was it discovered? Luck.
flatmap-stream v0.1.0
flatmap-stream v0.1.1
Jarrod Overson - BSidesPDX Payload A The bootstrap.
Jarrod Overson - BSidesPDX Recap • The script decrypts and compiles a new module. • The key comes from a package description somewhere. • The encrypted JS comes from testData[0]. • The compiled module exports testData[1].
Jarrod Overson - BSidesPDX What does this mean? The script only serves its purpose if the code runs from an npm script in a directory that has a package.json with a "description" field containing a specific string that can act as the key.
Jarrod Overson - BSidesPDX What this means for us We need to start trolling through package.json files.
😂
Jarrod Overson - BSidesPDX Strategy • Iterate through every package. • Decrypt testData[0]. • Run the decrypted data through a JS Parser. • If successful then we have a winner.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Copay, the Secure Bitcoin Wallet.
Jarrod Overson - BSidesPDX Payload B The injector.
Payload B
Payload B
Jarrod Overson - BSidesPDX npm scripts redux npm run-script script-name [0] [1] [2]argv:
Payload B
copay's package.json scripts
Payload B
Jarrod Overson - BSidesPDX Recap • Payload B noops unless run in copay's build stage. • Decrypts payload C just like payload B. • Injects payload C into a file used in copay's mobile app. • Payload C is then executed in the mobile app while on a user's mobile device.
Jarrod Overson - BSidesPDX Payload C The final payload.
Payload C
Jarrod Overson - BSidesPDX Payload C in a nutshell • Harvested private keys • Targeted wallets with over 100 BTC or 1000 BCH • Communicated with third party server copayapi.host
Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
Jarrod Overson - BSidesPDX This is NOT node/npm specific Any public repository of code is susceptible.
Jarrod Overson - BSidesPDX The Good News. Once the issue was brought to light the community • responded rapidly • investigated quickly • mitigated the issue immediately • and produced tools to help others right away.
Jarrod Overson - BSidesPDX The Bad News. It has happened multiple times since.
The dependency problem is not ideal.
Jarrod Overson - BSidesPDX This could have been much worse. event-stream was depended on things like the - azure-cli - dozens of build tools and plugins - Microsoft's monaco editor (the editor for VSCode)
Jarrod Overson - BSidesPDX This will likely get much worse. Properly addressing this problem requires rethinking node, dependencies, and package management. Hard things with lots of compatibility implications.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX What can you do? • Audit your dependencies. • Lock your dependencies. • Check in your dependencies. • Think twice before adding dependencies.
Jarrod Overson - BSidesPDX When in doubt, don't add it. • Dependencies are risks. • Risks are gambles. • You gamble when cost is low and value is high.
Jarrod Overson - BSidesPDX Why are imitation attacks such a problem?Thank You! @jsoverson on bit.ly/jsoverson-youtube

Recomendados

Shadowsocks Go
Shadowsocks GoShadowsocks Go
Shadowsocks Go
Eric Guo
 
Ygoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineappleYgoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineapple
ygoltsev
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityCluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Liran Tal
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Guglielmo Scaiola
 
Openssl
OpensslOpenssl
Openssl
Adam Moravcik
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
Ran Levy
 

Recomendados

Shadowsocks Go
Shadowsocks GoShadowsocks Go
Shadowsocks Go
Eric Guo
 
Ygoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineappleYgoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineapple
ygoltsev
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityCluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Liran Tal
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Guglielmo Scaiola
 
Openssl
OpensslOpenssl
Openssl
Adam Moravcik
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
Ran Levy
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
Euegene Fedorenko
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Mail.ru Group
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
Guglielmo Scaiola
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
Server Density
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Michele Orselli
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Alessandro Cinelli (cirpo)
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
Joe Clarke
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
Andrei Negruti
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
MongoDB
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
MongoDB
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 

Mais conteúdo relacionado

Mais procurados

BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 

Mais procurados (10)

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 

Semelhante a Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
Andrei Negruti
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 

Semelhante a Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing? (20)

JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Codemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech labCodemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech lab
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Belfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) OperationsBelfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) Operations
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
IzPack - PoitouJUG
IzPack - PoitouJUGIzPack - PoitouJUG
IzPack - PoitouJUG
 
Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)
 

Mais de Jarrod Overson

Mais de Jarrod Overson (20)

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

  • 1. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem? Analysis of an OSS supply chain attack How did millions of developers download malicious code with no one noticing? Jarrod Overson - BSidesPDX
  • 2. Jarrod Overson - BSidesPDX
  • 3. Jarrod Overson - BSidesPDX
  • 4. Jarrod Overson - BSidesPDX
  • 5. Jarrod Overson - BSidesPDX npm install [anything]
  • 6. Jarrod Overson - BSidesPDX The threat is real And it's coming from inside the house.
  • 7. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 8. Jarrod Overson - BSidesPDX Who am I? • Director at Shape Security & Google Dev Expert. • Write/talk/record about JS reverse engineering & breaking web apps. • Old-school video game hacker. • @jsoverson most everywhere This guy
  • 9. Jarrod Overson - BSidesPDX ?
  • 10. Jarrod Overson - BSidesPDX Ever heard of YKK?
  • 11. Jarrod Overson - BSidesPDX
  • 12. Jarrod Overson - BSidesPDX You used Shape this week. We're the reason you log in a lot less and see fewer CAPTCHAs.
  • 13. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 14. Jarrod Overson - BSidesPDX JS It started with a package, event-stream
  • 15. Jarrod Overson - BSidesPDX
  • 16. Jarrod Overson - BSidesPDX
  • 17. Jarrod Overson - BSidesPDX
  • 18. Jarrod Overson - BSidesPDX
  • 19. Jarrod Overson - BSidesPDX JS event-stream was maintained by prolific developer Dominic Tarr
  • 20. Jarrod Overson - BSidesPDX
  • 21. Jarrod Overson - BSidesPDX
  • 22. Jarrod Overson - BSidesPDX
  • 23. Jarrod Overson - BSidesPDX JS Domenic gave ownership to right9ctrl in September of 2018 *
  • 24. Jarrod Overson - BSidesPDX Q: Why?
  • 25. Jarrod Overson - BSidesPDX
  • 26. Jarrod Overson - BSidesPDX
  • 27. Jarrod Overson - BSidesPDX JS right9ctrl gained trust by committing several innocent changes. ...b550f5: upgrade dependencies ...37c105: add map and split examples ...477832: remove trailing in split example ...2c2095: better pretty.js example ...a644c5: update readme event-stream
  • 28. Jarrod Overson - BSidesPDX JS On Sept 9 2018 right9ctrl added a new dependency and released version 3.3.6 JS v3.3.6 JS v0.1.0 flatmap-stream event-stream
  • 29. Jarrod Overson - BSidesPDX About that caret...
  • 30. Jarrod Overson - BSidesPDX Semantic Versioning (semver) Major.Minor.Patch e.g. 3.4.9 Breaking changes New features Bug fixes Increasing risk
  • 31. Jarrod Overson - BSidesPDX Semver pattern matching Symbol Example Matches ^ ^0.1.0 0.*.* ~ ~0.1.0 0.1.*
  • 32. Jarrod Overson - BSidesPDX JS right9ctrl then removed flatmap-stream and updated event-stream to v4.0.0. v4.0.0 event-stream
  • 33. Jarrod Overson - BSidesPDX Note: Nothing malicious has emerged thus far.
  • 34. Jarrod Overson - BSidesPDX Total time between first commit and v4.0.0? 12 days
  • 35. Jarrod Overson - BSidesPDX JS On October 5th 2018 (T+31) flatmap-stream@0.1.1 was published. JS v3.3.6 v0.1.1 flatmap-stream event-stream JS v0.1.0
  • 36. Jarrod Overson - BSidesPDX JS event-stream@3.3.6 installed fresh now pulls in flatmap-stream@0.1.1 because of the ^ JS v3.3.6 v0.1.1 flatmap-stream event-stream
  • 37. Jarrod Overson - BSidesPDX event-stream@3.3.5 was stable for 2+ years. JSJS v3.3.6 event-stream
  • 38. Jarrod Overson - BSidesPDX A LOT depended on event-stream^3.3.5 and would get updated to 3.3.6 automatically. JS JS JS JS JS JS JS JS JS
  • 39. Jarrod Overson - BSidesPDX Time between flatmap-stream@0.1.1 and exposure: 48 days Time between malicious control and discovery: 77 days
  • 40. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 41. Jarrod Overson - BSidesPDX First, how was it discovered?
  • 42. Payload A used a method deprecated in node v11.0.0
  • 43. Node v11.0.0 was released 18 days into the exploit.
  • 44. Unrelated projects started getting deprecation warnings.
  • 45. Finally someone started putting it together.
  • 46. Jarrod Overson - BSidesPDX So how was it discovered? Luck.
  • 49. Jarrod Overson - BSidesPDX Payload A The bootstrap.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65. Jarrod Overson - BSidesPDX Recap • The script decrypts and compiles a new module. • The key comes from a package description somewhere. • The encrypted JS comes from testData[0]. • The compiled module exports testData[1].
  • 66. Jarrod Overson - BSidesPDX What does this mean? The script only serves its purpose if the code runs from an npm script in a directory that has a package.json with a "description" field containing a specific string that can act as the key.
  • 67. Jarrod Overson - BSidesPDX What this means for us We need to start trolling through package.json files.
  • 68.
  • 69. 😂
  • 70. Jarrod Overson - BSidesPDX Strategy • Iterate through every package. • Decrypt testData[0]. • Run the decrypted data through a JS Parser. • If successful then we have a winner.
  • 71. Jarrod Overson - BSidesPDX
  • 72. Jarrod Overson - BSidesPDX
  • 73. Copay, the Secure Bitcoin Wallet.
  • 74. Jarrod Overson - BSidesPDX Payload B The injector.
  • 77. Jarrod Overson - BSidesPDX npm scripts redux npm run-script script-name [0] [1] [2]argv:
  • 81. Jarrod Overson - BSidesPDX Recap • Payload B noops unless run in copay's build stage. • Decrypts payload C just like payload B. • Injects payload C into a file used in copay's mobile app. • Payload C is then executed in the mobile app while on a user's mobile device.
  • 82. Jarrod Overson - BSidesPDX Payload C The final payload.
  • 84. Jarrod Overson - BSidesPDX Payload C in a nutshell • Harvested private keys • Targeted wallets with over 100 BTC or 1000 BCH • Communicated with third party server copayapi.host
  • 85. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 86. Jarrod Overson - BSidesPDX This is NOT node/npm specific Any public repository of code is susceptible.
  • 87. Jarrod Overson - BSidesPDX The Good News. Once the issue was brought to light the community • responded rapidly • investigated quickly • mitigated the issue immediately • and produced tools to help others right away.
  • 88. Jarrod Overson - BSidesPDX The Bad News. It has happened multiple times since.
  • 89.
  • 90.
  • 91. The dependency problem is not ideal.
  • 92. Jarrod Overson - BSidesPDX This could have been much worse. event-stream was depended on things like the - azure-cli - dozens of build tools and plugins - Microsoft's monaco editor (the editor for VSCode)
  • 93. Jarrod Overson - BSidesPDX This will likely get much worse. Properly addressing this problem requires rethinking node, dependencies, and package management. Hard things with lots of compatibility implications.
  • 94. Jarrod Overson - BSidesPDX
  • 95. Jarrod Overson - BSidesPDX What can you do? • Audit your dependencies. • Lock your dependencies. • Check in your dependencies. • Think twice before adding dependencies.
  • 96. Jarrod Overson - BSidesPDX When in doubt, don't add it. • Dependencies are risks. • Risks are gambles. • You gamble when cost is low and value is high.
  • 97. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem?Thank You! @jsoverson on bit.ly/jsoverson-youtube