New Supply Chain Attack Method Poses Risks to Java and Android Applications
Recent discoveries have exposed vulnerabilities in several abandoned yet widely used libraries within Java and Android applications, particularly through a new supply chain attack method known as MavenGate. This technique allows attackers to exploit domain name purchases, potentially compromising ongoing projects without easily detectable signs of intrusion.
According to an analysis from Oversecured, the attack exploits default build configurations in Maven-based technologies, including Gradle, making them susceptible to this kind of malicious manipulation. The ramifications of successfully executing this attack are significant; cybercriminals could redirect dependencies and inject malicious code into applications, undermining the integrity of the software build process itself via harmful plugins.
Oversecured disclosed that it had alerted more than 200 companies about these risks, which included major players like Google, Amazon, and Facebook. As Apache Maven is predominantly utilized for managing Java projects and their dependencies—identified by unique groupIds—an attacker can target repositories that are public, exploiting abandoned libraries in the process to initiate supply chain poisoning. Specifically, the attacker can obtain rights to a reversed domain associated with an expired dependency, gaining access to its groupId.
In a practical demonstration, Oversecured published a test Android library to Maven Central and JitPack. By introducing an altered version of the library containing compromised code, the organization showcased how attackers could hijack dependencies. This was facilitated by aligning Maven Central and JitPack in a particular order within the Gradle build script, where a lower-order repository can inadvertently allow a malicious version to be used instead of its legitimate counterpart. Following this methodology, malicious actors can increase the version number of a library to overwrite an existing, trusted version, or manipulate versions to create confusion.
The researchers noted that many applications do not verify digital signatures for their dependencies, and numerous libraries do not even publish these signatures. This oversight permits attackers to include harmful code in a new library version, remaining undetected until developers unwittingly upgrade their software.
In light of the analysis, it was determined that out of 33,938 domains reviewed, 6,170—amounting to 18.18%—were vulnerable to the MavenGate attack, thereby enabling potential code hijacking. While Sonatype, the entity behind Maven Central, contends that its automated security measures render the outlined attack impractical, the company has taken steps to disable accounts linked to expired domains as a precaution.
The incident emphasizes the imperative for developers to take responsibility not just for direct dependencies, but also for transitive dependencies. Furthermore, library developers should ensure the integrity of the dependencies they declare and publish public key hashes. This mounting threat underscores the continuing need for vigilance in the realm of cybersecurity, particularly as Industries face increasingly sophisticated attack vectors.
As organizations strive to bolster their defenses, a thorough understanding of the MITRE ATT&CK framework reveals relevant adversary tactics that may have been leveraged during these attacks, including initial access, persistence, and privilege escalation. Business owners are urged to remain proactive in addressing these vulnerabilities to safeguard their technological assets against evolving threats.
