Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps.
Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.”
"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.”
Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner.
The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository.
Impacting Asian Developers
Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign.
"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard."
Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack.
Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify.
According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities."
He believes intruders may be looking to take advantage of regional ties and "trusted relationships."
Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.”
Cyber Defence
Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained.
Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added.
Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.