The recent exposure of SolarWinds showed us how a determined adversary could leverage a trusted source in order to gain access to an organization. While there is still much to learn from SolarWinds, we should not ignore how other areas of trust could be used against an organization. One of these areas is how organizations blindly trust simple commands utilized to install and update package dependencies.
Alex Birsan recently published an article on how he effectively leveraged package dependencies to execute code on remote machines and make his way into some of the biggest tech companies. In essence, by identifying valid internal package names that can normally be found on an organization’s public repositories like GitHub, an adversary could upload malicious code to a respective package control manager under the same dependency name to have the victim machine default to the newer package version.
Threat Simulation & Sample Code
As with any relevant threat, Anvilogic’s Threat Detection team began researching and developing a means of detection surrounding dependency confusion to ensure their customers are able to detect when this kind of compromise occurs within their network. Below is a simplistic example of how we can take advantage of setup.py execution to download and execute another script when a python package is installed.
When the victim machine attempts to install ‘avltest’, the default configuration of PyPi forces the victim to download the higher version as a dependency. Once downloaded, malicious code is automatically executed on the host.
Detecting Low Fidelity Suspicious Events
In order to detect this or other dependency style attacks such as dependency typosquatting, several false-positive prone detections would need to be correlated and sequenced together to provide a single high-efficacy alert. To begin, we can take a look at simplified logic looking at process command line logs for the detection of installation packages:
- (“pip” OR “gem” OR “npm”) install
The above detection would warn anytime a package is installed. Of course, you could supplement this by looking at the addition of certain parameters such as the use “--extra-index-url” for pip.
The next detection would be surrounding the access or modification of configuration files dealing with these package control managers which can take on a different simplified detection logic whether you are looking at your Windows or Linux systems:
- Linux: (“vi” OR “vim” OR “nano” OR “visudo” OR “cat” OR “more” OR “less” OR ">>" OR ">") AND ("requirements.txt" OR "pip.conf" OR "package.json" OR "gemspec" OR "gemrc")
- Windows: (“vi” OR “vim” OR “nano” OR “visudo” OR “cat” OR “more” OR “less” OR “edit” OR “type” OR “gc” OR “get-content” OR (“copy” “con”) OR ">>" OR ">") AND ("requirements.txt" OR "pip.conf" OR "package.json" OR "gemspec" OR "gemrc")
The False Positive Problem
As mentioned, the above detections will be prone to generate an immense amount of false positives that will surely overwhelm a Security Operations Center if used on their own; however, when used in a sequence in conjunction with additional detections, a Security Operations Center can receive high-efficacy alerts that can easily be triaged without being inundated with alert fatigue. This kind of sequenced detection can effortlessly be created and deployed directly into your SIEM with Anvilogic.
Building High-Fidelity Detection Logic with No-Code
Utilizing Anvilogic’s code-less Threat Scenario builder, we can easily combine the above use cases with additional detections found within our platform on a simplistic interface and allow Anvilogic to automatically generate all the detection code necessary for deployment.
Rather than receiving an alert every time a package is installed, or if one of your package control manager’s configuration files has been modified, we can sequence these detections with others looking for what is likely to happen after a host has undergone dependency confusion and produce high-efficacy alerts ready for triage.
Anvilogic’s Threat Detection team actively researches, develops, and exploits threats while developing their corresponding detections as the cyber landscape continues to evolve.
Anvilogic’s code-less Threat Scenario builder allows us to easily combine a variety of different detections on a simplistic interface to auto-generate the necessary logic intended on detecting these sophisticated threats that are unable to be detected by a single detection allowing analysts to detect the next dependency confusion threat compromise occurring within their organization.
About the Authors
Kevin Gonzalez is currently the Director of Security at Anvilogic where he is responsible for the threat detection lifecycle and corporate security.
Before Anvilogic, Kevin led cybersecurity operations, engineering, and architectural practices at Lennar Corporation and Cubic Corporation while consulting for several organizations to help build security analytic programs and architect security solutions.
Kevin is from Miami, Florida. He holds a master’s degree from Florida International University in Management Information Systems along with several cybersecurity certifications.
Eric Hines is currently a Detection Engineer at Anvilogic where he is responsible for threat detection analysis and intelligence.
Before Anvilogic, Eric was an Information Security Analyst with a diverse background in various cyber operations for the U.S. Navy.
Eric currently resides in Chattanooga, Tennessee. He holds a Bachelor's degree from the University of Maryland Global Campus in Computer Network Infrastructure and Cyber Security along with several cybersecurity certifications.