Dependable Red Teaming by using Confusion - Tinus Green

Dependency Confusion, a DevOps supply chain attack path discovered in 2021, hasn't really gotten the attention that it deserves. This is mainly due to a misunderstanding of how large the attack surface can be. In this talk, we will show how dependency confusion can be exploited to not just attack the pipeline, but covertly gain full access to PROD! Dependency Confusion attacks leverage confusion that can be created in a package manager's approach to determining where libraries need to be installed from. Simply knowing the name of an internally-hosted package is sufficient for a threat actor to stage such an attack, which can trick a package manager to install a malicious version of the library from an external repository instead. When this vulnerability was first discovered and published, the author was able to show how they infected companies such as the likes of Apple and Microsoft. However, since then, there hasn't been any real traction from the security community to include testing for this in their methodology. This is largely due to the difficulties in explaining the impact that such a vulnerability can have. A key argument made against the vulnerability's impact is that the risk is mitigated since proper CI/CD pipelines make use of ephemeral build agents meaning the threat actor's package would not have the relevant code to pass unit tests. Thus a compromise here would not really amount to anything serious. This got us thinking. What if we could weaponise dependency confusion not to compromise a developer installing package or the build agent, but to actually compromise production? Turns out, this is possible and actually not that hard to achieve! This brings a whole new dynamic for red teams looking to deploy a near-silent but incredibly potent backdoor. This talk will be beginner friendly by covering what dependency confusion is but then take it further to show in a live network how dependency confusion can be weaponised to blast its way past both the build and deploy stages and into production, providing a fun new breach to goal execution shortcut for red teams! The talk overview is as follows: Introduction to dependency confusion Why the security community overlooks dependency confusion Reevaluating the threat of dependency confusion Weaponising dependency confusion Mitigation strategies and best practice to prevent and detect dependency confusion Takeaways: Those attending this talk will better understand the true impact that dependency confusion can have and how its discovery can be weaponised to showcase this true impact. Equipped with this knowledge, attendees will be able to supplement their testing methodologies and understand how to better protect their organisations from this attack vector. ======================================================= About the Speaker: Tinus Green I am the Head of Consultancy at MWR and have a passion for deeply understanding how things work, taking them apart, and sometimes being able to put them back together. ======================================================= Thanks to our AV Sponsor Tenable for making these recordings possible.