Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label python. Show all posts
WebSockets
Blockchain codebase Credentials Crypto Cybersecurity dataexfiltration dependency devtools Firewall Gmail Hacking malware phishing PyPI python scripts SMTP Spoofing Threatactors WebSockets

Malicious PyPI Packages Exploit Gmail to Steal Sensitive Data

 

Cybersecurity researchers have uncovered a disturbing new tactic involving malicious PyPI packages that use Gmail to exfiltrate stolen data and communicate with threat actors. The discovery, made by security firm Socket, led to the removal of the infected packages from the Python Package Index (PyPI), although not before considerable damage had already occurred.

Socket reported identifying seven malicious packages on PyPI, some of which had been listed for more than four years. Collectively, these packages had been downloaded over 55,000 times. Most were spoofed versions of the legitimate "Coffin" package, with deceptive names such as Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. Another package was titled cfc-bsb.

According to the researchers, once installed, these packages would connect to Gmail using hardcoded credentials and initiate communication with a command-and-control (C2) server. They would then establish a WebSockets tunnel that leverages Gmail’s email server, allowing the traffic to bypass traditional firewalls and security systems.

This setup enabled attackers to remotely execute code, extract files, and gain unauthorized access to targeted systems.

Evidence suggests that the attackers were mainly targeting cryptocurrency assets. One of the email addresses used by the malware featured terms like “blockchain” and “bitcoin” — an indication of its intent.

“Coffin-Codes-Pro establishes a connection to Gmail’s SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]com and a password,” the report says.
“It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that the implant is working.”

Socket has issued a warning to all Python developers and users who may have installed these packages, advising them to remove the compromised libraries immediately, and rotate all sensitive credentials.

The researchers further advised developers to remain alert for suspicious outbound connections:

“especially SMTP traffic”, and warned them not to trust a package just because it was a few years old.
“To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links,” they added.

“Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.”
Read more »
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
WooCommerce
Carding CyberCrime CyberSource Fraud malware PyPI python Security WooCommerce

Malicious PyPi Package ‘disgrasya’ Exploits WooCommerce Stores for Card Fraud, Downloaded Over 34,000 Times

 

A newly uncovered malicious Python package on PyPi, named ‘disgrasya’, has raised serious concerns after it was discovered exploiting WooCommerce-powered e-commerce sites to validate stolen credit card information. Before its removal, the package had been downloaded more than 34,000 times, signaling significant abuse within the developer ecosystem.

The tool specifically targeted WooCommerce sites using the CyberSource payment gateway, enabling threat actors to mass-test stolen credit card data obtained from dark web sources and data breaches. This process, known as carding, helps cybercriminals determine which cards are active and usable.

While PyPi has since removed the package, its high download count reveals the widespread exploitation of open-source platforms for illicit operations.

"Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate," explains a report by Socket researchers.

"It was openly malicious, abusing PyPI as a distribution channel to reach a wider audience of fraudsters."

What sets ‘disgrasya’ apart is the transparency of its malicious intent. Unlike other deceptive packages that mask their true purpose, this one openly advertised its illicit capabilities in the description:

"A utility for checking credit cards through multiple gateways using multi-threading and proxies."

According to Socket, version 7.36.9 of the package introduced the core malicious features, likely bypassing stricter checks typically applied to initial versions.

The malicious script mimics legitimate shopping behavior by accessing real WooCommerce stores, identifying product IDs, and adding items to the cart. It then proceeds to the checkout page, where it harvests the CSRF token and CyberSource’s capture context—sensitive data used to securely process card payments.

Socket explains that these tokens are typically short-lived and hidden, but the script captures them instantly while populating the form with fake customer details.

Instead of sending the card details directly to CyberSource, the data is routed to a malicious server (railgunmisaka.com) that impersonates the legitimate payment gateway. The server returns a fake token, which the script uses to complete the checkout process on the real store. If the transaction is successful, the card is validated; otherwise, it moves on to the next.

"This entire workflow—from harvesting product IDs and checkout tokens, to sending stolen card data to a malicious third party, and simulating a full checkout flow—is highly targeted and methodical," says Socket.

"It is designed to blend into normal traffic patterns, making detection incredibly difficult for traditional fraud detection systems."

This fully automated workflow makes it easier for attackers to validate thousands of cards at scale—cards which can then be used for financial fraud or sold on underground marketplaces.

Socket also warns that traditional fraud detection systems are ill-equipped to catch these types of attacks due to their highly realistic emulation of customer behavior.

Despite the sophistication of the operation, Socket researchers suggest some measures to reduce vulnerability:
  • Block very low-value transactions (typically under $5), often used in carding tests.
  • Monitor for high failure rates on small orders from the same IP address or geographic region.
  • Implement CAPTCHA verification during checkout flows to disrupt automated tools.
  • Apply rate limiting on checkout and payment endpoints to slow down or block suspicious behavior.
Read more »
python
Crypto Wallets Developers Ethereum malware PyPI python

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.” 

Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets. 

Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account. 

The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly. 

PyPi Targets

PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:

  • Web3 apps and crypto exchanges integrating Ethereum transactions.
  • Users having personal Ethereum wallets via Python automation. 
  • Blockchain developers using the eth-account for wallet creation and handling.
  • People who installed the package may expose their private keys to hackers, causing major financial losses. 

Consequences of PyPi attack

  • Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
  • Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
  • Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring. 
  • Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”

Controlling the damage

For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments. 

According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.”  Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”

Read more »
Supply-chain
Cyber Attacks Cyber Hijack Cyber websites CyberCrime Cyberhackers JFrog Security malicious PyPI python Software Supply-chain

22,000 PyPI Packages Affected by Revival Hijack Supply-Chain Attack

 


It has been discovered that hackers can distribute malicious payloads easily and efficiently through the package repository on the PyPI website by using a simple and troublesome exploit. A JFrog security researcher has discovered a new supply chain attack technique using which they can attack PyPI repositories (Python Package Index) that can be used to hack them. 

Hundreds of thousands of software packages can potentially be affected by this attack technique and countless users could be affected as a result. A technique known as "Revival Hijack," exploits a policy loophole by which attackers may re-register the names of packages that have been removed from PyPI by their original developers and hijack the names themselves once the packages have been removed from PyPI. 

As part of an attack against the Python Package Index (PyPI) registry, a new supply chain attack technique has been uncovered in the wild, which is designed to infiltrate downstream organizations by exploiting the PyPI registry. There is an attack vector called "Revival Hijack" which involves the registration of a new project with a name that matches a package that has been removed from the PyPI platform which may then serve as an attack vector. 

If a threat actor manages to do this, then they will be able to distribute malicious code to developers who pull updates periodically. A software supply chain security firm named JFrog, which specializes in software supply chain security, has codenamed this attack method Revival Hijack, claiming to be able to hijack 22,000 existing PyPI packages, which in turn will result in hundreds of thousands of malicious packages being downloaded. 

There are more than 100,000 downloads or six months' worth of activity on the affected packages and are more susceptible to exploits. A very common technique used by Revival Hijack is to take advantage of the fact that victims are often unknowingly updating once-safe packages without being aware that they have been altered or compromised. Further, CI/CD machines are set up with a mechanism for automatically installing package updates so that they can be applied right away. 

A similar attack technique was discovered by Jfrog earlier this year, which is one of several different attacks that adversaries have been developing in recent years to try and sneak malware into enterprise environments using public code repositories like PyPI, npm, Maven Central, NuGet, and RubyGems, and to steal sensitive data. As a part of these attacks, popular repositories have often been cloned and infected, poisoning artifacts have been used, and leveraged leaked secrets such as private keys and database certificates have been revealed. 

According to JFrog researchers Brian Moussalli and Andrey Polkovnichenko, there is a much higher risk here than in previous software supply chain hacks that relied primarily on typosquatting and human error to distribute malicious code throughout software websites. When a developer decides to delete a project from PyPI, they are given a warning about the potential repercussions that may arise, including the Revival Hijack scenario that could occur. 

The dialogue warns that deleting this project will give the name of the project to anyone else who uses PyPI", so please refrain from doing so. In this scenario, the user will be able to issue new releases under the project name as long as the distribution files have not been renamed to match those from a previously released distribution. According to the motive of the attacker, the "Revival Hijack" attack vector can result in hundreds of thousands of increments as a result of the attack, depending on the motive. 

As far as exploiting this technique is concerned, it can be applied to exploiting abandoned package names to spread malware. Researchers observed this in action with the hijack of the "pingdomv3" package, which was detected by research teams. This package has been given the version number 0.0.0.1 to avoid a dependency confusion attack scenario, in which developer packages would be pulled by pip upgrade commands when they were run as a part of the upgrade process. 

In addition, it is worth noting that Revival Hijack has already been exploited in the wild, by an unknown threat actor called Jinnis who introduced a benign version of a package titled "pingdomv3" on March 30, 2024, just two days after the original package's owner (cheneyyan) removed it from PyPI. There has been a report that says the new developer has released an update containing a Base64-encoded payload, which checks for the presence of the "JENKINS_URL" environment variable, and if it exists, executes an unknown next-stage module retrieved from a remote server after checking for the appearance of the "JENKINS_URL." environment variable. 

Although JFrog proposed this precaution as a preventative measure, over the last three months it has received nearly 200,000 downloads both manually and automatically, proving that the Revival Hijack threat is very real, the security company announced. In making an analysis of this data, JFrog reported that there are outdated jobs and scripts out there that are still searching for the deleted packages, as well as users who manually downloaded these packages due to typosquatting. 

Depending on how the hijacked packages are hijacked, the adversaries may attach a high version number to each package, which will cause the CI/CD systems to automatically download the hijacked packages believing they are the latest version. This will ultimately cause a bug to develop, JFrog explained. As a result of the company's recommendation, PyPI has effectively prohibited the reuse of abandoned package names as well.

Some organizations use PyPI that need to be aware of this attack vector when updating to new versions of the package, JFrog warns. There is a non-public blacklist maintained by PyPI, which prevents certain names from being registered on new projects, but most deleted packages don't make it to that list because there is a non-public blacklist maintained by PyPI. It was due to this that the security firm took indirect measures to mitigate the "Revival Hijack" threat and added the most popular of the deleted and vulnerable packages to an account named security_holding under which they could be monitored. 

As a result of the researchers changing the version numbers of the abandoned packages to 0.0.0.1, they make sure that it does not affect active users while updating the packages. As a result, the package names are preserved and are not susceptible to theft by malicious actors who may want to use them for offensive purposes. The third month later, JFrog discovered that the packages in their repository seemed to have been downloaded by nearly 200,000 people due to automatic scripts or user errors. There are a lot more risks involved in "Revival Hijack" than the standard typosquatting attacks on PyPI. 

This is because users pulling updates for their selected projects for which they have permission do not make mistakes when doing so. It's best to mitigate this threat by utilizing package pinning to stay on a known secure version, verify the integrity of the package, audit its contents, and watch for any changes in package ownership or unusual updates.
Read more »
Social Engineering
Job Offer malware python Remote Access Trojan Social Engineering

North Korean Scammers Lure Developers with Fake Job Offers




A new cyber scam, dubbed "Dev Popper," is preying on software developers through fake job interviews. This elaborate ruse, masquerading as genuine employment opportunities, aims to infiltrate the victim's computer with a harmful Python backdoor, posing serious cyber threats.


How The Scam Operates?

In the multi-stage infection process employed by the "Dev Popper" cyber scam, the attackers orchestrate a sophisticated chain of events to deceive their targets gradually. It commences with the perpetrators posing as prospective employers, initiating contact with unsuspecting developers under the guise of offering job positions. As the sham interview progresses, candidates are coerced into executing seemingly innocuous tasks, such as downloading and executing code from a GitHub repository, all purportedly part of the standard coding assessment. However, unbeknownst to the victim, the innocuous-seeming code harbours hidden threats. These tasks, disguised as routine coding tests, are actually devised to exploit the developer's trust and gain unauthorised access to their system.


The Complex Attack Chain

Once the developer executes the provided code, a concealed JavaScript file springs into action. This file, leveraging commands, fetches another file from an external server. Within this file is a malicious Python script, ingeniously disguised as a legitimate component of the interview process. Once activated, the Python script surreptitiously collects vital system information and relays it back to the attackers. This multi-faceted approach, blending social engineering with technical deception, underscores the sophistication and danger posed by modern cyber threats.


Capabilities of the Python Backdoor

The Python backdoor, functioning as a Remote Access Trojan (RAT), boasts an array of intrusive capabilities. These include establishing persistent connections for continuous control, stealing files, executing commands remotely, and even secretly monitoring user activity by logging keystrokes and clipboard data.


The Rising Threat 

While the orchestrators behind "Dev Popper" remain elusive, the proliferation of fake job offers as a means for malware distribution is a growing concern. Exploiting the developer's reliance on job applications, this deceitful tactic once again forces us to realise the need for heightened vigilance among unsuspecting individuals.


How To Protect Yourself?

To mitigate the risk of falling victim to such cyber threats, it is imperative for developers and individuals to exercise caution and maintain awareness. When encountering job offers or unfamiliar requests for software-related tasks, verifying the legitimacy of the source and adopting a sceptical stance are crucial measures. 


Read more »
Vulnerabilities
AI workload scaling Anyscale CVE Cyber Security Cybersecurity hacking campaign python Ray Framework ShadowRay Vulnerabilities

Hackers Exploit Flaw in Ray Framework to Breach Servers

 

The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.

Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.

Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.

In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans. 

Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.


Read more »
Telegram
cryptocurrency Cyberattacks Cybersecurity Data Theft Google python Software Supply Chain Telegram

Data Theft Alert: Malicious Python Packages Exposed – Stay Secure

 


Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded. 

Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign. 

There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection. 

The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone. 

Crypto and Data Theft 


As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers. 

This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly. 

Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems. 

In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker. 

Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts. 

An Analysis of The Attack's Evolution 


There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers. The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages. 

However, in August, a researcher noted that many packages now have multi-layer encryption. There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report. 

There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August. 

There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub. 

To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.
Read more »
Safety
Backdoor Cyber Security Data Safety data security PyPI python Safety

PyPI Enforces the Usage of Two-factor Authentication for All Software Publishes

 

The Python Package Index (PyPI) has stated that by the end of the year, every account that maintains a project on the system will be compelled to enable two-factor authentication (2FA). PyPI is a software repository for Python programming language packages. 

The index contains 200,000 packages, allowing developers to identify existing packages that meet specific project needs, saving time and effort. The PyPI team said the decision to make 2FA required for all accounts is part of their long-term commitment to strengthening platform security, and it supports earlier steps such as barring compromised credentials and enabling API tokens.

The reduced danger of supply chain assaults is one advantage of 2FA protection. These attacks occur when an intruder obtains authority over a software maintainer's account and installs a backdoor or malware to a package that is used as a dependency in other software projects.

Depending on the popularity of the product, such attacks may affect millions of people. While developers are responsible for thoroughly checking the building components of their projects, PyPI's measures should make it easier to avoid this type of issue.

Furthermore, in recent months, the Python project repository has been plagued by frequent virus uploads, famous package imitations, and the re-submission of dangerous code using hijacked identities.

The problem became so severe that PyPI was forced to temporarily halt new user and project registrations last week until an adequate defense solution could be designed and implemented. 2FA protection will help to lessen the problem of account takeover attempts, and it should also limit the number of new accounts a suspended user may create in order to re-upload dangerous packages. The deadline for implementing 2FA on all project and organization maintainer accounts is the end of 2023.

In the next months, impacted customers should prepare for and implement the additional security precaution, which may be accomplished using either a hardware key or an authentication app.

“The most important things you can do to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or an authentication app, and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.” - PyPI

In accordance to the PyPI team, the preparatory work performed in previous months, such as introducing 'Trusted Publishing,' combined with parallel initiatives from platforms such as GitHub that have helped developers familiarise themselves with 2FA requirements, make this year an ideal time to introduce the measure.
Read more »
Spyware
Data Safety malware PyPI python Safety Security Spyware

Spyware Offered to Cyberattackers via PyPI Python Repository

 

Researchers spotted malware peddlers openly selling an info-stealer on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest concealment.

The attackers, who Sonatype researchers linked to the SylexSquad malware-as-a-service (MaaS) gang in Spain, gave their programme a not-so-subtle name: "reverse-shell." Reverse shells are programmes that are often used by hackers to run commands remotely and receive data from targeted machines.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

Inside the'reverse-shell' Data-Heisting Malware

Sonatype researchers were taken aback when they discovered a package dubbed "reverse-shell" on a public forum. "Why would someone name a malicious package in such a blatantly obvious way?" the researchers pondered in their blog article for Malware Monthly.

In actuality, the programme turned out to be much more than a reverse shell. This was revealed when the researchers studied one of its files, "WindowsDefender.py." WindowsDefender.py contains several routines with apparent names, such as get_login_data(), get_web_history(),get_downloads(),get_cookies(),get_credit_cards(),ImageGrab.grab().

According to the theme, the hackers had not gone to great lengths to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, [this] appears to be a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

More information can be found in another file called "setup.py." There were multiple Spanish-language instructions here to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — indicating that reverse-shell was a MaaS product.

Further investigation revealed several "Made by SylexSquad" tags sprinkled throughout the code, some of which was minimally obfuscated. The researchers discovered that SylexSquad was formerly a hacking marketplace running on the Sellix e-commerce platform in 2022. It has subsequently been decommissioned.

Publishing so publicly to a public repo could have been a deliberate attempt by the organisation to draw attention to their product. "How do we know about groups like Anonymous, LulzSec, or Killnet?" Conn inquires rhetorically. "It's because they get a bad reputation."

However, PyPI is considerably more valuable to them than that.

Why Do Hackers Use Public Repositories?

According to Sonatype, the SylexSquad attackers aren't the only miscreants using forums like PyPI and GitHub, and there are a variety of reasons for their audacity.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather of sending malware upfront, which antivirus scanners may detect fast, hackers can just provide a link to their harmful code elsewhere: "By providing a link to a GitHub, they're perhaps evading that check,"" he says.

To avoid becoming a hotspot for hackers, public repositories have protection safeguards in place. Even the finest scanners and moderators are not perfect, and they cannot be everywhere at the same time.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. SylexSquad encoded its malicious software as numbers in this example, utilising easily reversible ASCII codes for each character.

Sonatype reported the package to the PyPI maintainers, and it was removed. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre sees this tale as part of a larger issue with open source software: as long as malware developers find use in public repositories, organisations must be conscious of the types of packages they may be picking up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."


Read more »
Windows
malware python Safety Security Trojan Windows

This New Python RAT Malware Targets Windows in Attacks

 

A new Python-based malware has been discovered in the wild, with remote access trojan (RAT) capabilities that permit its operators to regulate the compromised systems. The new RAT, dubbed PY#RATION by researchers at threat analytics firm Securonix, communicates with the command and control (C2) server and exfiltrates data from the victim host via the WebSocket protocol. 

The company's technical report examines how the malware operates. The researchers note that the RAT is actively being developed, as they have seen multiple versions of it since the PY#RATION campaign began in August. MalwareHunterTeam, who tweeted about a campaign in August 2022, also discovered this malware.
 
The PY#RATION malware is distributed through a phishing campaign that employs password-protected ZIP file attachments with two shortcuts. Front.jpg.lnk and back.jpg.lnk are LNK files disguised as images.

When the shortcuts victim is launched, he or she sees the front and back of a driver's license. However, malicious code is also executed to contact the C2 (in later attacks, Pastebin) and download two.TXT files ('front.txt' and 'back.txt'), which are later renamed to BAT files to accommodate malware execution.

When the malware is launched, it creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory before downloading, unpacking, and running additional executable files from that location.

By placing a batch file ('CortanaAssist.bat') in the user's startup directory, persistence is established. Cortana, Microsoft's personal assistant solution for Windows, is used to disguise malware entries as system files.

The malware supplied to the target is a Python RAT packaged into an executable with the help of automated packers such as 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its implementation.

This method results in larger payload sizes, with version 1.0 (the first) being 14MB and version 1.6.0 (the most recent) being 32MB. The latest version is larger because it includes more code (+1000 lines) and a layer of fernet encryption.

As per Securonix's tests, version 1.6.0 of the payload deployed undiscovered by all but one antivirus engine on VirusTotal. While Securonix did not share the malware samples' hashes, BleepingComputer was able to find a file that appears to be from this campaign. To determine the malware's capabilities, Securonix analysts extracted the payload's contents and examined the code functions with the 'pyinstxtractor' tool.

Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:
  • Perform network enumeration
  • Perform file transfers from the breached system to the C2, or vice versa
  • Perform keylogging to record the victim's keystrokes
  • Execute shell commands
  • Perform host enumeration
  • Extract passwords and cookies from web browsers
  • Steal data from the clipboard
  • Detect anti-virus tools running on the host
The malware, according to Securonix researchers, "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is utilized for communication as well as data exfiltration.

The benefit of WebSockets is that the malware can concurrently receive and send data from and to the C2 over a single TCP connection using network ports such as 80 and 443. The threat actors utilized the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0, per the analysts.

The IP address has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.. Details about specific campaigns employing this piece of malware, as well as their targets, distribution volume, and operators, are currently unknown.
 
Read more »
Vulnerabilities and Exploits
Class Pollution Dos Attacks JavaScript JavaScript exploit Prototype Pollution python Vulnerabilities and Exploits

Prototype Pollution-like Bug Variant Found in Python


Prototype Pollution

Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript. 

However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats. 

With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application's logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution. 

From Prototype Pollution to Class Pollution 

In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes. 

In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations. 

However, security researcher Abdulraheem Khaled has come across a coding scheme that can enable threat actors to conduct prototype pollution-like attacks on Python programs. He has labeled it as ‘class pollution’ in a blog post documenting his findings. 

In regards to the findings, he told The Daily Swig that he discovered the attack while attempting to translate the concepts of JavaScript prototype pollution to Python. 

Manipulating Python Classes 

In order to exploit Python objects, the attacker is required to have an entry point that utilizes the user input to set the attributes of an object. If the user input succeeds in determining both the attribute name and value, the attacker can then exploit it to alter the program’s behavior. 

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” states Khaled to The Daily Swig. 

Attackers may be able to access parent classes, global variables, and more if the target method employs recursive loops to traverse over the object's characteristics. This merge is deemed "unsafe" by Khaled. 

An attacker could, for instance, alter command strings that the system executes, manipulate the value of important variables, or start denial of service (DoS) attacks by rendering crucial classes dysfunctional.

All Python Applications are Vulnerable 

According to the security researcher, all types of Python applications are vulnerable to these exploits as long as they continue accepting contaminated user input and implement a form of object attribute assignment that is ‘unsafe’. 

In his investigation, he came across various instances where popular Python libraries had an unsafe merge function, which then exposed them to class pollution attacks.

The simplest of all impacts of class pollution would be DoS. Although, these attacks may have much greater and more severe impacts on Python online apps. 

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently […] Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon,” Khaled concluded.  

Read more »
python
Bitcoin Crypto Ethereum Hackers Malicious actor malware NPM Package PyPI Package python

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 

PYPI &NPM

Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 



Read more »
Vulnerabilities and Exploits
Bugs Flaws python Remote Code Execution Security Vulnerabilities and Exploits

Unpatched 15-year Old Python Flaw Allows Code Execution in 350k Projects

 

As many as 350,000 open-source projects are potentially vulnerable to exploitation due to a 15-year-old security vulnerability in a Python module. The open-source repositories cover a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and information technology management. 

The flaw, designated CVE-2007-4559 (CVSS score: 6.8), is deeply embedded in the tarfile module, and successful exploitation could result in code execution from an arbitrary file write. 

"The vulnerability is a path traversal attack in the extract and extract all functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

The bug, first reported in August 2007, relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target machine simply by opening the file.

Simply put, a threat actor can exploit the flaw by uploading a malicious tarfile in a way that allows the adversary to escape the directory that a file is intended to be extracted to and achieve code execution, potentially allowing the adversary to seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The flaw is similar to a recently disclosed security flaw in RARlab's UnRAR utility (CVE-2022-30333), which could result in remote code execution. Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, revealing the vulnerability in both the Spyder Python IDE and Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.
Read more »
Vulnerabilities and Exploits
Bug Bugs Exploit Flaws Open Source System python Vulnerabilities and Exploits

A 15-Year-Old Bug Affected Over 350,000 Open-Source Projects

 

Trellix, an advanced research centre rediscovered a 15-year-old vulnerability in Python programming language that is still being exploited and has affected over 350,000 projects. 

The threat researchers at Trellix considered claimed to have found a zero-day vulnerability, it is a 15-year-old security flaw in the Python module, that has remained unpatched, and is now exposing around 350,000 open as well as closed source projects to the risk of supply chain cyberattacks. 

The Trellix estimate indicates that many of the affected repositories are used by machine learning tools that help developers to complete the project as soon as possible. 

In of one of the articles, Kasimir Schulz mentioned that the vulnerability was a form of routed traversal attack in the “extract and extractall functions of the tarfile module,” which is contained within the TAR file module itself. These open-source projects cover a wide range of areas including web development, media, IT management, software development, artificial intelligence, machine learning, and security. 

The vulnerability, tracked as “CVE-2007-4559”, permits the threat actor linked with a user, to execute the code and overlap the arbitrary files by using filenames with dedicated sequenced filenames in the TAR archive. This allows the attacker to acquire control of the targeted device. 

It is similar to the vulnerability named, CVE-2022-30333, which was recently found in RARIab’s UnRAR, which also allows the attacker to execute the code remotely. 

The CVE-2007-4559 was first discovered in 2007 when it was declared as a vulnerability of low importance by Red Hat, one of the world’s leading solution providers of enterprise open-source software. 

The bug can be leveraged on Linux as well. It includes the specially crafted TAR archive used to overwrite or overlap the existing arbitrary files on the targeted device by just opening the file. It is through this simple overlap that the attacker is able to inject the malicious tarfile in a way that allows him to execute the code by intending that the file be extracted after crossing the directory boundary. 

Reportedly, the patches have been introduced by Trellix for the aforesaid vulnerability. Initially, they are made available for about 11000 projects, but within the next week, they will be available for about 7000 projects.
Read more »
Safety
Cyber Security Decryption Key Developers Experiment Hacker Packages python Safety

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

 

An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days. As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI). 

The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python. According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package. 

The bundle included scripts for exploring directories such as Documents, Pictures, and Music. One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype. 

Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it. 

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. 

Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package. According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme. 

"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises. Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.

Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.

According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."
Read more »
python
Code Execution Flaw CVE vulnerability Cyber Security macOS Microsoft PoC Privacy Sandbox python

Microsoft: Provide Code for MacOS App Sandbox Flaw

 


MacOS has a vulnerability that was discovered by  Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox. 

The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).

Sandbox Objective

A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.

When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.

Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.

The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.

"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.


Read more »
Supply Chain Assaults
AWS Keys Cyber Attacks Hijacking PHP Libraries PyPI Package python Supply Chain Assaults

Popular Python and PHP LIbraries Hijacked to Steal AWS Keys

 

A software supply chain assault has compromised the PyPI module 'ctx,' which is downloaded over 20,000 times per week, with malicious versions collecting the developer's environment variables. The threat actor even replaced older, secure versions of 'ctx' with code that gathers secrets like Amazon AWS keys and credentials by exfiltrating the developer's environment variables. 

In addition, versions of a 'phpass' fork released to the PHP/Composer package repository Packagist had been modified in a similar way to steal secrets. Over the course of its existence, the PHPass framework has had over 2.5 million downloads from the Packagist repository—though malicious variants are thought to have received significantly fewer downloads. 

The widely used PyPI package 'ctx' was hacked earlier this month, with newer released versions leaking environment variables to an external server. 'ctx' is a small Python module that allows programmers to manipulate dictionary ('dict') objects in various ways. Despite its popularity, the package's developer had not touched it since 2014, according to BleepingComputer. Newer versions, which were released between May 15th and this week, contained dangerous malware. 

The corrupted 'ctx' package was initially discovered by Reddit user jimtk. Somdev Sangwan, an ethical hacker, also revealed that the PHP package 'phpass' had been infiltrated, with tainted copies of the library taking developers' AWS secret keys. Although the malicious 'ctx' versions have been removed from PyPI, copies acquired from Sonatype's malware archives show the presence of harmful code in all 'ctx' versions. 

It's also worth noting that the 0.1.2 version, which hadn't been updated since 2014, was replaced this week with a malicious payload. Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked/. At the time of analysis, the endpoint was no longer active. 

In a similar attack, the fork of 'hautelook/phpass,' a hugely popular Composer/PHP package, was hacked with malicious versions released to the Packagist repository. PHPass is an open-source password hashing framework that may be used in PHP applications by developers. The framework was first released in 2005 and has since been downloaded over 2.5 million times on Packagist. 

This week, BleepingComputer discovered malicious commits to the PHPass project that stole environment variables in the same way. The modified 'PasswordHash.php' file in PHPass looks for the values 'AWS ACCESS KEY' and 'AWS SECRET KEY' in your environment. Following that, the secrets are uploaded to the same Heroku endpoint. The presence of similar functionality and Heroku endpoints in both the PyPI and PHP packages suggests that both hijacks were perpetrated by the same threat actor. 

According to the researchers, the attacker's identity is evident. However, this could have been a proof-of-concept experiment gone wrong, and it would be irresponsible to name the individual behind the 'ctx' and 'phpass' hijack until additional information becomes available. Furthermore, while the malicious PyPI package 'ctx' remained active until later today, the impact of malicious 'PHPass' versions appears to have been far more limited after Packagist co-founder Jordi Boggiano marked the hijacked repository as "abandoned" and advised everyone to use bordoni/phpass instead. 

The hijacking of PyPI package 'ctx' is said to have been caused by a maintainer account compromise, but the true cause has yet to be discovered. The attacker claiming a previously abandoned GitHub repository and reviving it to publish altered 'phpass' versions to the Packagist registry has been ascribed to the hack of hautepass/phpass. 

Security Innovation, a cybersecurity organisation, previously dubbed this type of attack "repo jacking." Intezer and Checkmarx recently produced a joint study based on this research and how it can affect Go projects, termed it "chainjacking." This hijacking comes on the back of a PyPI typosquat being detected deploying backdoors on Windows, Linux, and Macs.
Read more »
VMware
Cyberattack data wipers Google Honeypot Installation IBM Malicious actor malware python RaaS Ransomware Attacks. VMware

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
Read more »
Subscribe to: Posts (Atom)