Tainted Water, Tainted Packages | Weekly Brief W06

This week saw yet another example of poor security in public infrastructure - this time a Floridian water treatment plant. Game developer CD Project RED stands firm and refuse to bargain with ransom actors - highlighting the value of performing regular backups. Security researcher proves hunch many devs have held for a long time - you can't always trust what you download from the internet (even NPM!).

Exploiting DevTools Dependencies To Compromise 35 Big Tech Cos.

Taking advantage of the blind trust many developers have when downloading project dependencies via package managers, 35 major companies have fallen victim to the attack. This concept is similar to the known risk of packages with names similar to official packages containing malicious code.

The researcher, Alex Birsan, exploited the naming of internal dependencies within PayPal package.json files, creating packages on NPM with the same names - hoping his malicious package would be pulled instead of the one authored by PayPal. Since proving the concept with PayPal, Birsen has generated over $130,000 in bounties and compromised scores of companies.

Read an overview by ThreatPost here or Birsen’s technical writeup here.

CD Projekt Gets “EPICALLY pwned”, Faces Ransom From Hacker.

Developer and publisher of popular Witcher series, CD Project, has shared publicly via a tweet that their internal system has been attacked. In the statement, the company claims that whilst some files have been encrypted and the threat actor is demanding a ransom they refuse to negotiate with the actor and are in the process of restoring data from backups.

Important Update pic.twitter.com/PCEuhAJosR

— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021

Following this statement release, the threat actor has been confirmed as the HelloKitty group. It is also suspected that the group is attempting to auction stolen source code online, priced from $1MM.

See the CD Project statement here and read an overview by Bleeping Computer here.

Hacker Toys With Florida Water Treatment Facility; Modifies Lye Levels To ‘Dangerous’ Levels.

A press conference was held by Oldsmar city officials after it was discovered a hacker has compromised the control systems at a water treatment plant. The attack resulted in raising the level of lye in the water over 110 times the normal level.

Fortunately, an operator at the facility noticed a cursor moving on their screen, catching and resolving the issue before the tainted water was delivered to citizens. The County Sheriff noted that whilst they are investigating leads right now there is currently no known suspect in the attack.

Read more here (and find the full press conference here also.).

If you liked this, subscribe below to get a round-up of the weeks most important stories in InfoSec and IT.