How a pentester's attempt to be 'as realistic as possible' alarmed cybersecurity firms

Over the last several weeks, researchers at multiple security firms have been scratching their heads trying to figure out who was targeting German companies with what appeared to be a supply chain attack.

On Wednesday, they got their answer: An intern at a threat intelligence firm that was simulating "realistic threat actors" for its clients.

Security research teams at JFrog, ReversingLabs and Snyk released reports in recent weeks after they detected several malicious JavaScript packages in the widely used npm registry. The code was targeted at a German media conglomerate and other German firms. 

But on Wednesday, employees of Germany-based Code White GmbH came forward to admit that the malicious packages were part of a test they were running. 

@snyksec Tnx for your excellent analysis at https://t.co/UoshhgaDgx and don't worry, the "malicious actor" is one of our interns who was tasked to research dependency confusion as part of our continuous attack simulations for clients. (1/2)

— CODE WHITE GmbH (@codewhitesec) May 10, 2022

In several Twitter responses to the companies, and in messages to The Record, the company said the goal of the test was to resemble the kind of real-world hacking attempts that security teams actually must battle. 

Code White said the malicious actor identified by the companies was actually an intern "tasked to research dependency confusion as part of our continuous attack simulations for clients."

Tnx for your cautious analysis but we can give the all-clear signal for that specific campaign as it was part of our realistic and continuous attack simulations for a few contracted clients with their consent. Appearently, showing "impact" increases awareness and preparedness

— CODE WHITE GmbH (@codewhitesec) May 11, 2022

"We're trying to mimic realistic threat actors for dedicated clients as part of our Security Intelligence Service and we brought our 'own' package manager that supports yarn and npm," Code White said. 

In a message to JFrog, the company said the "attack" was a "simulated but nonetheless realistic one by us for some of our contracted clients with their consent."

David Elze, CEO of Code White, confirmed that it was part of a set of attack simulations for clients.

“We're doing this to really improve the security resilience level of our clients by utilizing the most recent and most probable attack techniques like dependency confusion in this case for some of them to show the impact, raise awareness and further prepare organizations for actual threat actors,” Elze said. 

But some researchers did not take kindly to the revelation. Shachar Menashe, senior director of security research at JFrog, said the level of payload with this penetration test “is pretty irresponsible.”

Menashe said that throughout his long career, he had never seen a situation like this, "both in terms of the sophistication of an npm/pypi payload and in terms of the aggressiveness of a pentesting payload.”

“Since the code had absolutely no indications in it (in the source code) or in its metadata (ex. the npm package description) this could have put the company's threat response team into high alert, wasting the client's resources on nothing,” Menashe said. 

“Adding a simple string ‘for security pentest purposes’ on the npm package description or even in the source code could have prevented this while still proving the point, as was presented in previous very successful attacks.” 

Menashe explained that for these kinds of dependency confusion attacks, the package metadata isn't inspected manually before the attack happens, so this would not hurt the viability of the attack. 

Menashe also took issue with the idea that Code White used a full-fledged backdoor as a payload, calling it “unwarranted.”

“If the backdoor contained some bug, or if a malicious actor could take control of the C2 server, then the client's infected machines would be at the mercy of a real threat actor and not the pentesting company,” Menashe told The Record. 

“These are scenarios that have happened many times before (ex. a hacker taking control of another hacker's botnet). The payload could have been a simple ‘information leakage’ payload without any backdoor capabilities, and the pentesting company would still have proven the client is vulnerable.”

In response to Menashe’s comments, a representative for Code White said the fundamental difference between a typical penetration test and a realistic red team scenario is that the threat response team explicitly wants to cope with convincing threats for training and preparation. 

“Naturally we're in direct communication and close collaboration with our clients' defense teams. So being as realistic as possible but without inflicting any actual harm is our approach to support our clients and help them prepare their defenses,” the spokesperson said. 

“The tooling, the C2, the payload, the communication channel ... everything was explicitly developed for this specific scenario and was not compromised in any way (we were logging and monitoring every single request and session).” 

The representative reiterated that the company is not simply doing compliance-based pentesting “to prove a point” but instead are attempting to simulate real threat actors to prepare their clients. 

“This means that they're really invested in actual cybersecurity, which is a big advantage we think,” the representative said.