Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, July 6, 2023, 10:16 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Node.js Supply Chain Threatened by Manifest Confusion Vulnerability

The shift away from desktop applications to cloud-hosted applications which use the web browser as the universal desktop client has seen the popularity of the JavaScript language grow massively. And having to code in both JavaScript and a back-end language like PHP or Java increases costs and generally makes life difficult - so why not code the back end in JavaScript, too? The answer to that question is Node.js, which implements a JavaScript runtime on web servers and unsurprisingly has also become massively popular.

And just like the other languages, Node.js has its own package manager and repository for distribution of useful libraries, subsystems and code packages generally, in the form of npm. But now comes news of a massive threat to the Node.js software supply chain, in the form of what a former GitHub and npm engineering manager, Darcy Clarke, has termed, "manifest confusion".

The basic problem is this: a npm package's manifest - a JSON file which lists the package id, name, version info, contents, dependencies, etc. - is published independently from its tarball (the .tgz file with the actual contents), and manifests are never fully validated against the tarball's contents. In a blog post, Clarke writes that

"From the outset, the npm project also put a lot of trust in the client vs. server-side of the registry. Looking back now, its clear that the practice of relying so heavily on a client to handle validation of data is riddle with issues"

From experience teaching some aspects of web application development, I would say this is a common problem. Web developers who work on both the client and server halves of a product often fail to recognise the trust boundary between the two and rely on the client to perform not just validation but sanitization in order to protect the server. What they don't realize is that a) the client is not under their control as it runs on an untrusted system, and b) an attacker may well run a completely different client of their own devising in order to bypass their sanitization.

Returning to the manifest confusion problem, Clarke continues:

The issue at hand is that the version metadata (aka. "manifest" data) is submitted independent from the attached tarball which houses the package's package.json. These two pieces of information are never validated against one another & calls into question which one should be the canonical source of truth for data such as dependencies, scripts, license & more. As far as I can tell, the tarball is the only artifact that gets signed & has an integrity value that can be stored & verified offline (making the case for it to potentially be the proper source; yet, very surprisngly, the name & version fields in package.json can actually differ from those in the manifest, because they were never validated).

This loophole means that threat actors could conduct a variety of different attacks - most obviously publishing a package which contains hidden dependencies or run install scripts which load malware - and Clarke's post provides proof-of-concepts for several of them. This vulnerability puts the entire npm software supply chain at risk.

Worst of all, this issue was first disclosed to GitHub in early November 2022 and further escalated by Clark in March of this year - but to date, nothing seems to have been done, publicly at least. In the meantime, Clarke recommends that users switch to using the package contents in the tarball for metadata where needed.

Clarke, Darcy, The massive bug at the heart of the npm ecosystem, blog post, 27 June 2023. Available online at https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem.

Interpol Arrests Key Figure in OPERA1ER Cybercrime Group

A cybercrime group - known variously as OPERA1ER, NX$M$, DESKTOP Group and Common Raven - has been perpetrating a variety of malware and phishing campaigns, as well as large-scale business email compromise scams, over the last four years, targeting financial institutions and mobile banking services in 15 countries across Africa, Asia and Latin America. First detected by security firm Group-IB and telco Orange, the group is believed to have stolen somewhere between $US11 million and $US30 million.

Interpol's Cybercrime Directorate established Operation Nervone to coordinate intelligence provided by the two firms above, as well as the US Secret Service's Criminal Investigative Division and Booz Allen Hamilon DarkLabs, in turn providing key information to the Direction de l'Information et des Traces Technologiques (DITT) in Côte d’Ivoire.

And so, in early June, authorities in Côte d’Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa. The sheer number of different agencies and security firms involved in this operation - it was also backed by the African Joint Operation against Cybercrime and the INTERPOL Support Programme for the African Union in relation to AFRIPOL - clearly illustrate the complexity of international investigations, especially in comparison to the relative ease of criminal operations on the borderless Internet.

Interpol, Suspected key figure of notorious cybercrime group arrested in joint operation, news release, 5 July 2023. Available online at https://www.interpol.int/News-and-Events/News/2023/Suspected-key-figure-of-notorious-cybercrime-group-arrested-in-joint-operation.

LockBit Halts Nagoya Port Operations

Who can forget the global impact of NotPetya, the 2017 wiper which disrupted global shipping and supply chains - all because of a Russian attack on Ukraine's tax collection? Here we go again, albeit on a much smaller scale, although the impact may well flow through to purchasers of Toyota motor vehicles.

Early on Tuesday morning, an employee at the Nagoya Port Authority discovered a ransomware infection on their computer. The ransomware turns out to be the notorious LockBit 3.0, and its Russian operators have made a ransom demand in exchange for system recovery.

The impact here is not likely to be the exfiltration of sensitive data - the port system likely deals with container shipping manifests - but will primarily be the impact of business process interruption, since Nagoya is Japan's major shipping port. In particular, it is the key hub for Toyota's exports and imports, with the car maker reporting that it cannot load or unload auto parts due to the port's shutdown.

Uncredited, Pro-Russian hackers target Port of Nagoya, disrupting loading of Toyota parts, The Japan Times, 5 July 2023. Available online at https://www.japantimes.co.jp/news/2023/07/05/national/nagoya-port-cyberattack/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: