Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label python. Show all posts

Data Theft Alert: Malicious Python Packages Exposed – Stay Secure

 


Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded. 

Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign. 

There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection. 

The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone. 

Crypto and Data Theft 


As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers. 

This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly. 

Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems. 

In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker. 

Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts. 

An Analysis of The Attack's Evolution 


There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers. The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages. 

However, in August, a researcher noted that many packages now have multi-layer encryption. There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report. 

There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August. 

There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub. 

To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.

PyPI Enforces the Usage of Two-factor Authentication for All Software Publishes

 

The Python Package Index (PyPI) has stated that by the end of the year, every account that maintains a project on the system will be compelled to enable two-factor authentication (2FA). PyPI is a software repository for Python programming language packages. 

The index contains 200,000 packages, allowing developers to identify existing packages that meet specific project needs, saving time and effort. The PyPI team said the decision to make 2FA required for all accounts is part of their long-term commitment to strengthening platform security, and it supports earlier steps such as barring compromised credentials and enabling API tokens.

The reduced danger of supply chain assaults is one advantage of 2FA protection. These attacks occur when an intruder obtains authority over a software maintainer's account and installs a backdoor or malware to a package that is used as a dependency in other software projects.

Depending on the popularity of the product, such attacks may affect millions of people. While developers are responsible for thoroughly checking the building components of their projects, PyPI's measures should make it easier to avoid this type of issue.

Furthermore, in recent months, the Python project repository has been plagued by frequent virus uploads, famous package imitations, and the re-submission of dangerous code using hijacked identities.

The problem became so severe that PyPI was forced to temporarily halt new user and project registrations last week until an adequate defense solution could be designed and implemented. 2FA protection will help to lessen the problem of account takeover attempts, and it should also limit the number of new accounts a suspended user may create in order to re-upload dangerous packages. The deadline for implementing 2FA on all project and organization maintainer accounts is the end of 2023.

In the next months, impacted customers should prepare for and implement the additional security precaution, which may be accomplished using either a hardware key or an authentication app.

“The most important things you can do to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or an authentication app, and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.” - PyPI

In accordance to the PyPI team, the preparatory work performed in previous months, such as introducing 'Trusted Publishing,' combined with parallel initiatives from platforms such as GitHub that have helped developers familiarise themselves with 2FA requirements, make this year an ideal time to introduce the measure.

Spyware Offered to Cyberattackers via PyPI Python Repository

 

Researchers spotted malware peddlers openly selling an info-stealer on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest concealment.

The attackers, who Sonatype researchers linked to the SylexSquad malware-as-a-service (MaaS) gang in Spain, gave their programme a not-so-subtle name: "reverse-shell." Reverse shells are programmes that are often used by hackers to run commands remotely and receive data from targeted machines.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

Inside the'reverse-shell' Data-Heisting Malware

Sonatype researchers were taken aback when they discovered a package dubbed "reverse-shell" on a public forum. "Why would someone name a malicious package in such a blatantly obvious way?" the researchers pondered in their blog article for Malware Monthly.

In actuality, the programme turned out to be much more than a reverse shell. This was revealed when the researchers studied one of its files, "WindowsDefender.py." WindowsDefender.py contains several routines with apparent names, such as get_login_data(), get_web_history(),get_downloads(),get_cookies(),get_credit_cards(),ImageGrab.grab().

According to the theme, the hackers had not gone to great lengths to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, [this] appears to be a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

More information can be found in another file called "setup.py." There were multiple Spanish-language instructions here to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — indicating that reverse-shell was a MaaS product.

Further investigation revealed several "Made by SylexSquad" tags sprinkled throughout the code, some of which was minimally obfuscated. The researchers discovered that SylexSquad was formerly a hacking marketplace running on the Sellix e-commerce platform in 2022. It has subsequently been decommissioned.

Publishing so publicly to a public repo could have been a deliberate attempt by the organisation to draw attention to their product. "How do we know about groups like Anonymous, LulzSec, or Killnet?" Conn inquires rhetorically. "It's because they get a bad reputation."

However, PyPI is considerably more valuable to them than that.

Why Do Hackers Use Public Repositories?

According to Sonatype, the SylexSquad attackers aren't the only miscreants using forums like PyPI and GitHub, and there are a variety of reasons for their audacity.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather of sending malware upfront, which antivirus scanners may detect fast, hackers can just provide a link to their harmful code elsewhere: "By providing a link to a GitHub, they're perhaps evading that check,"" he says.

To avoid becoming a hotspot for hackers, public repositories have protection safeguards in place. Even the finest scanners and moderators are not perfect, and they cannot be everywhere at the same time.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. SylexSquad encoded its malicious software as numbers in this example, utilising easily reversible ASCII codes for each character.

Sonatype reported the package to the PyPI maintainers, and it was removed. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre sees this tale as part of a larger issue with open source software: as long as malware developers find use in public repositories, organisations must be conscious of the types of packages they may be picking up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."


This New Python RAT Malware Targets Windows in Attacks

 

A new Python-based malware has been discovered in the wild, with remote access trojan (RAT) capabilities that permit its operators to regulate the compromised systems. The new RAT, dubbed PY#RATION by researchers at threat analytics firm Securonix, communicates with the command and control (C2) server and exfiltrates data from the victim host via the WebSocket protocol. 

The company's technical report examines how the malware operates. The researchers note that the RAT is actively being developed, as they have seen multiple versions of it since the PY#RATION campaign began in August. MalwareHunterTeam, who tweeted about a campaign in August 2022, also discovered this malware.
 
The PY#RATION malware is distributed through a phishing campaign that employs password-protected ZIP file attachments with two shortcuts. Front.jpg.lnk and back.jpg.lnk are LNK files disguised as images.

When the shortcuts victim is launched, he or she sees the front and back of a driver's license. However, malicious code is also executed to contact the C2 (in later attacks, Pastebin) and download two.TXT files ('front.txt' and 'back.txt'), which are later renamed to BAT files to accommodate malware execution.

When the malware is launched, it creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory before downloading, unpacking, and running additional executable files from that location.

By placing a batch file ('CortanaAssist.bat') in the user's startup directory, persistence is established. Cortana, Microsoft's personal assistant solution for Windows, is used to disguise malware entries as system files.

The malware supplied to the target is a Python RAT packaged into an executable with the help of automated packers such as 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its implementation.

This method results in larger payload sizes, with version 1.0 (the first) being 14MB and version 1.6.0 (the most recent) being 32MB. The latest version is larger because it includes more code (+1000 lines) and a layer of fernet encryption.

As per Securonix's tests, version 1.6.0 of the payload deployed undiscovered by all but one antivirus engine on VirusTotal. While Securonix did not share the malware samples' hashes, BleepingComputer was able to find a file that appears to be from this campaign. To determine the malware's capabilities, Securonix analysts extracted the payload's contents and examined the code functions with the 'pyinstxtractor' tool.

Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:
  • Perform network enumeration
  • Perform file transfers from the breached system to the C2, or vice versa
  • Perform keylogging to record the victim's keystrokes
  • Execute shell commands
  • Perform host enumeration
  • Extract passwords and cookies from web browsers
  • Steal data from the clipboard
  • Detect anti-virus tools running on the host
The malware, according to Securonix researchers, "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is utilized for communication as well as data exfiltration.

The benefit of WebSockets is that the malware can concurrently receive and send data from and to the C2 over a single TCP connection using network ports such as 80 and 443. The threat actors utilized the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0, per the analysts.

The IP address has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.. Details about specific campaigns employing this piece of malware, as well as their targets, distribution volume, and operators, are currently unknown.
 

Prototype Pollution-like Bug Variant Found in Python


Prototype Pollution

Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript. 

However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats. 

With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application's logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution. 

From Prototype Pollution to Class Pollution 

In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes. 

In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations. 

However, security researcher Abdulraheem Khaled has come across a coding scheme that can enable threat actors to conduct prototype pollution-like attacks on Python programs. He has labeled it as ‘class pollution’ in a blog post documenting his findings. 

In regards to the findings, he told The Daily Swig that he discovered the attack while attempting to translate the concepts of JavaScript prototype pollution to Python. 

Manipulating Python Classes 

In order to exploit Python objects, the attacker is required to have an entry point that utilizes the user input to set the attributes of an object. If the user input succeeds in determining both the attribute name and value, the attacker can then exploit it to alter the program’s behavior. 

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” states Khaled to The Daily Swig. 

Attackers may be able to access parent classes, global variables, and more if the target method employs recursive loops to traverse over the object's characteristics. This merge is deemed "unsafe" by Khaled. 

An attacker could, for instance, alter command strings that the system executes, manipulate the value of important variables, or start denial of service (DoS) attacks by rendering crucial classes dysfunctional.

All Python Applications are Vulnerable 

According to the security researcher, all types of Python applications are vulnerable to these exploits as long as they continue accepting contaminated user input and implement a form of object attribute assignment that is ‘unsafe’. 

In his investigation, he came across various instances where popular Python libraries had an unsafe merge function, which then exposed them to class pollution attacks.

The simplest of all impacts of class pollution would be DoS. Although, these attacks may have much greater and more severe impacts on Python online apps. 

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently […] Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon,” Khaled concluded.  

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 

PYPI &NPM

Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 



Unpatched 15-year Old Python Flaw Allows Code Execution in 350k Projects

 

As many as 350,000 open-source projects are potentially vulnerable to exploitation due to a 15-year-old security vulnerability in a Python module. The open-source repositories cover a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and information technology management. 

The flaw, designated CVE-2007-4559 (CVSS score: 6.8), is deeply embedded in the tarfile module, and successful exploitation could result in code execution from an arbitrary file write. 

"The vulnerability is a path traversal attack in the extract and extract all functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

The bug, first reported in August 2007, relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target machine simply by opening the file.

Simply put, a threat actor can exploit the flaw by uploading a malicious tarfile in a way that allows the adversary to escape the directory that a file is intended to be extracted to and achieve code execution, potentially allowing the adversary to seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The flaw is similar to a recently disclosed security flaw in RARlab's UnRAR utility (CVE-2022-30333), which could result in remote code execution. Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, revealing the vulnerability in both the Spyder Python IDE and Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.

A 15-Year-Old Bug Affected Over 350,000 Open-Source Projects

 

Trellix, an advanced research centre rediscovered a 15-year-old vulnerability in Python programming language that is still being exploited and has affected over 350,000 projects. 

The threat researchers at Trellix considered claimed to have found a zero-day vulnerability, it is a 15-year-old security flaw in the Python module, that has remained unpatched, and is now exposing around 350,000 open as well as closed source projects to the risk of supply chain cyberattacks. 

The Trellix estimate indicates that many of the affected repositories are used by machine learning tools that help developers to complete the project as soon as possible. 

In of one of the articles, Kasimir Schulz mentioned that the vulnerability was a form of routed traversal attack in the “extract and extractall functions of the tarfile module,” which is contained within the TAR file module itself. These open-source projects cover a wide range of areas including web development, media, IT management, software development, artificial intelligence, machine learning, and security. 

The vulnerability, tracked as “CVE-2007-4559”, permits the threat actor linked with a user, to execute the code and overlap the arbitrary files by using filenames with dedicated sequenced filenames in the TAR archive. This allows the attacker to acquire control of the targeted device. 

It is similar to the vulnerability named, CVE-2022-30333, which was recently found in RARIab’s UnRAR, which also allows the attacker to execute the code remotely. 

The CVE-2007-4559 was first discovered in 2007 when it was declared as a vulnerability of low importance by Red Hat, one of the world’s leading solution providers of enterprise open-source software. 

The bug can be leveraged on Linux as well. It includes the specially crafted TAR archive used to overwrite or overlap the existing arbitrary files on the targeted device by just opening the file. It is through this simple overlap that the attacker is able to inject the malicious tarfile in a way that allows him to execute the code by intending that the file be extracted after crossing the directory boundary. 

Reportedly, the patches have been introduced by Trellix for the aforesaid vulnerability. Initially, they are made available for about 11000 projects, but within the next week, they will be available for about 7000 projects.

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

 

An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days. As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI). 

The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python. According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package. 

The bundle included scripts for exploring directories such as Documents, Pictures, and Music. One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype. 

Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it. 

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. 

Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package. According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme. 

"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises. Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.

Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.

According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."

Microsoft: Provide Code for MacOS App Sandbox Flaw

 


MacOS has a vulnerability that was discovered by  Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox. 

The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).

Sandbox Objective

A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.

When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.

Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.

The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.

"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.


Popular Python and PHP LIbraries Hijacked to Steal AWS Keys

 

A software supply chain assault has compromised the PyPI module 'ctx,' which is downloaded over 20,000 times per week, with malicious versions collecting the developer's environment variables. The threat actor even replaced older, secure versions of 'ctx' with code that gathers secrets like Amazon AWS keys and credentials by exfiltrating the developer's environment variables. 

In addition, versions of a 'phpass' fork released to the PHP/Composer package repository Packagist had been modified in a similar way to steal secrets. Over the course of its existence, the PHPass framework has had over 2.5 million downloads from the Packagist repository—though malicious variants are thought to have received significantly fewer downloads. 

The widely used PyPI package 'ctx' was hacked earlier this month, with newer released versions leaking environment variables to an external server. 'ctx' is a small Python module that allows programmers to manipulate dictionary ('dict') objects in various ways. Despite its popularity, the package's developer had not touched it since 2014, according to BleepingComputer. Newer versions, which were released between May 15th and this week, contained dangerous malware. 

The corrupted 'ctx' package was initially discovered by Reddit user jimtk. Somdev Sangwan, an ethical hacker, also revealed that the PHP package 'phpass' had been infiltrated, with tainted copies of the library taking developers' AWS secret keys. Although the malicious 'ctx' versions have been removed from PyPI, copies acquired from Sonatype's malware archives show the presence of harmful code in all 'ctx' versions. 

It's also worth noting that the 0.1.2 version, which hadn't been updated since 2014, was replaced this week with a malicious payload. Once installed, these versions gather all your environment variables and upload these values to the following Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked/. At the time of analysis, the endpoint was no longer active. 

In a similar attack, the fork of 'hautelook/phpass,' a hugely popular Composer/PHP package, was hacked with malicious versions released to the Packagist repository. PHPass is an open-source password hashing framework that may be used in PHP applications by developers. The framework was first released in 2005 and has since been downloaded over 2.5 million times on Packagist. 

This week, BleepingComputer discovered malicious commits to the PHPass project that stole environment variables in the same way. The modified 'PasswordHash.php' file in PHPass looks for the values 'AWS ACCESS KEY' and 'AWS SECRET KEY' in your environment. Following that, the secrets are uploaded to the same Heroku endpoint. The presence of similar functionality and Heroku endpoints in both the PyPI and PHP packages suggests that both hijacks were perpetrated by the same threat actor. 

According to the researchers, the attacker's identity is evident. However, this could have been a proof-of-concept experiment gone wrong, and it would be irresponsible to name the individual behind the 'ctx' and 'phpass' hijack until additional information becomes available. Furthermore, while the malicious PyPI package 'ctx' remained active until later today, the impact of malicious 'PHPass' versions appears to have been far more limited after Packagist co-founder Jordi Boggiano marked the hijacked repository as "abandoned" and advised everyone to use bordoni/phpass instead. 

The hijacking of PyPI package 'ctx' is said to have been caused by a maintainer account compromise, but the true cause has yet to be discovered. The attacker claiming a previously abandoned GitHub repository and reviving it to publish altered 'phpass' versions to the Packagist registry has been ascribed to the hack of hautepass/phpass. 

Security Innovation, a cybersecurity organisation, previously dubbed this type of attack "repo jacking." Intezer and Checkmarx recently produced a joint study based on this research and how it can affect Go projects, termed it "chainjacking." This hijacking comes on the back of a PyPI typosquat being detected deploying backdoors on Windows, Linux, and Macs.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Attackers use Python Ransomware to Encrypt VMware ESXi Servers

 

Researchers uncovered a new Python ransomware from an unnamed gang that attacks ESXi servers and virtual machines (VMs) with "sniper-like" speed. Sophos stated on Tuesday that the ransomware is being used to infiltrate and encrypt virtual machines housed on an ESXi hypervisor in operations that take less than three hours from start to finish. 

In a press release accompanying his in-depth report, Andrew Brandt, principal researcher at Sophos, said, “This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.” 

The Python coding language is rarely used for ransomware, according to Brandt. But, he continued, its use makes sense because Python comes pre-installed on Linux-based systems like ESXi, allowing Python-based attacks on these systems. 

The assault used a custom Python script that, when run on the target organization's virtual machine hypervisor, put all virtual machines offline. According to Sophos' security analysts, the attackers were swift to deploy the ransomware, the encryption process began about three hours after the initial intrusion. 

The attackers gained initial access using a TeamViewer account that did not have multi-factor authentication enabled and was running in the background on a computer owned by a user with Domain Administrator credentials. According to Sophos, the attackers logged in 30 minutes after midnight in the organization's time zone, then downloaded and used a tool to discover targets on the network, which led them to a VMware ESXi server. 

At roughly 2 a.m., the attackers used the built-in SSH service ESXi Shell to get into the server, which can be enabled on ESXi servers for administration purposes. The attackers logged into the ESXi Shell three hours after the network was first scanned, copied the Python script, and then ran it for each datastore disc volume, encrypting the virtual disc and settings files for virtual machines. 

“The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files,” Brandt wrote.

Sophos investigators discovered several, hardcoded encryption keys as well as a method for creating even more encryption key pairs when traversing through the code. Normally, an attacker would just need to insert the attacker's own 'public key,' which would be used to encrypt files on the targeted computer(s), according to Brandt. However, it appears that each time this ransomware is launched, it generates a new key.

New Malware Variant Employs Windows Subsystem for Linux for Attacks

 

Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected. 

Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux's binary ELF (Executable and Linkable) format. 

The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced. 

Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian. 

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told. 

Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected. 

One of the alternatives, written in Python 3 entirely, doesn't even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries. 

In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products. 

The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets. 

Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.

Malevolent PyPI Packages Detected Filching Developer Data

 

Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy. 

Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline. 

Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack. 

The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware. 

PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source. 

Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim. 

PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim. 

"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers." 

Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.

Python: Affected by Critical IP Address Validation Vulnerability

 

The critical IP address validation vulnerability in the Python standard library ipaddress is similar to the bug that was discovered in the "netmask" library earlier this year. The researchers who discovered the crucial flaw in netmask also found the same flaw in this Python module and named it the CVE-2021-29921 identifier. 

BleepingComputer first posted on a crucial IP validation flaw in the netmask library, which is used by thousands of applications, in March. The vulnerability tracked as CVE-2021-28918 (Critical), CVE-2021-29418 (Medium), and CVE-2021-29424 (High), was found in both the npm and Perl versions of netmask, as well as some other related libraries.

According to Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler, the ipaddress standard library implemented in Python 3.3 is also affected by this vulnerability. The bug, labeled CVE-2021-29921, affects the ipaddress standard library's inappropriate parsing of IP addresses. The ipaddress module in Python enables developers to quickly construct IP addresses, networks, and interfaces, as well as parse and normalize IP addresses in various formats. 

An IPv4 address can be expressed in a number of ways, including decimal, integer, octal, and hexadecimal, though decimal is the most common. The IPv4 address of BleepingComputer, for example, is 104.20.59.209 in decimal format, but it can also be expressed in the octal format as 0150.0024.0073.0321. When typed 0127.0.0.1/ into Chrome's address bar, the browser treats the entire string as an IP address in octal format, according to BleepingComputer's tests. 

The IP address switches to its decimal equivalent of 87.0.0.1 when you press enter or return, which is how most applications are expected to handle ambiguous IP addresses. The fact that 127.0.0.1 is a loopback address rather than a public IP address is noteworthy; however, its ambiguous representation converts it to a public IP address that points to a different host entirely. 

Sections of an IPv4 address can be interpreted as octal if prefixed with a "0," according to the IETF's original specification for ambiguous IP addresses. Any leading zeros in the Python standard library ipaddress, on the other hand, will be stripped and discarded. Researchers Sick Codes and Victor Viale demonstrated that Python's ipaddress library can simply discard any leading zeroes in a proof-of-concept test. In other words, '010.8.8.8' will be treated as '10.8.8.8' by Python's ipaddress module, rather than '8.8.8.8'. 

"Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate [Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks] on many programs that rely on Python stdlib IP address," stated the researchers. 

A discussion had shortly followed among Python maintainers as to the reasons behind this commit, and practical reasons for introducing this change when it came to handling ambiguous IP addresses. Although discussions about an upcoming patch are ongoing, exact details on what version of Python will it contain are fuzzy. 

On the other hand, one of the Python maintainers Victor Stinner said: "Passing IPv4 addresses with leading zeros is rare. You don't have to change the [sic] IP address for that, you can pre-process your inputs: it works on any Python version with or without the patch," suggesting an alternative solution to the issue.

Python Package Index Removed 3,653 Noxious Packages after a Vulnerability

 


The Python Package Index, otherwise called PyPI, has eliminated 3,653 noxious packages uploaded days after a security vulnerability in the utilization of private and public registries was highlighted. The Python Package Index is the official third-party software repository for Python. It is analogous to CPAN, the repository for Perl. Some package managers, including pip, use PyPI as the default source for packages and their dependencies. More than 235,000 Python packages can be accessed through PyPI. 

Python developers use PyPI to add software libraries composed by different developers in their own ventures. Other programming languages implement similar package management systems, all of which request some degree of trust. Developers are frequently encouraged to audit any code they import from an external library however that advice isn't constantly followed. Package management systems like npm, PyPI, and RubyGems have all had to eliminate sabotaged packages as of recent years. Malware creators have discovered that in the event that they can get their code included in well-known libraries or applications, they get free dissemination and trust they haven't acquired. 

A month ago, security researcher Alex Birsan showed that it is so easy to exploit these systems through a type of typosquatting that misused the interplay between public and private package registries. The downpour of vindictive Python packages over the previous week included unauthorized versions of projects like CuPy, an implementation of NumPy-compatible multi-dimensional array on CUDA, Nvidia's parallel computing platform. 

In a GitHub issued post, Kenichi Maehashi, a project maintainer, relates how cupy-cuda112 (CuPy worked for CUDA 11.2) was uploaded on February 25, 2021, then detected and eliminated a day later. Python has a policy for managing such a thing. On Monday, Ee W. Durbin III, director of infrastructure at the Python Foundation, said the large number of culpable packages had been taken out but expressed hesitance to boycott the account responsible because the account holder could simply register for another account. 

The name utilized by the malware writer, "RemindSupplyChainRisks," gives off an impression of being an attempt to call attention to an aspect of software distribution that most developers already understand is fraught with potential problems.

PoetRAT Targeting Public and Private Sector in Azerbaijan

 



APT groups have been targeting the public sector and other major organizations in Azerbaijan via recent versions of PoetRAT. Notably, the threat actor has advanced from Python to Lua script and makes use of Word documents to deploy malicious software.
 
PoetRAT was first discovered by Cisco Talos, it was being distributed using URLs that falsely appeared as Azerbaijan’s government domains, giving researchers a reason to believe that the adversaries intended to target citizens of the Eurasian country, Azerbaijan. The threat actors also attacked private organizations in the SCADA sector such as ‘wind turbine systems’. However, the recent campaigns that unfolded in the months of September and October were targeted towards the public sector and VIPs. In later updated versions, the operators worked out a new exfiltration protocol to cover their activities and avoid being caught. 
 
Written in Python and split into various parts, the malware provides full control of the infected system to the operation. It gathers documents, pictures from the webcam, and even passwords, employing other tools. In an attempt to improve their operational security (OpSec), the attacker replaces protocol and performs reconnaissance on infected machines. 
 
Over the past months, the developers of the malware have continuously evolved their strategies to penetrate into more sophisticated targets. The campaign demonstrates how the attackers manually pushed additional tools like keyloggers when required onto the infected machines. To name a few more, camera control applications, generic password stealers, and browser- focused password stealers. Besides malware campaigns, the operators also employed the same infrastructure to perform a phishing campaign wherein the phishing website impersonates the webmail of Azerbaijan’s Government.
 
Other instances when Azerbaijan grappled with cyberattacks include a data breach faced by the Azeri Navy sailors. The hacked data belonged to 18,872 sailors of the Azerbaijan Navy which included their full names, DOB, passport numbers, and expiry dates. In another attack, a U.K based live flight tracking service underwent DDoS attacks that temporarily halted its services, the attack is alleged to be having links with the ongoing geopolitical conflicts in Azerbaijan.

Indian Copyright Office Asks for Executable File for Website Code?


India copyright office grants a series of rights to the developer of a computer program that protects his original creation legally. Under the Copyright Act, computer programming codes can be registered as ‘literary works’. As the program is safeguarded by copyrights, each subsequent modification or addition to the code containing sufficient originality will also be protected under the law. Generally, a computer program is preserved not by just one copyright but by a set of copyrights beginning from the first source code written till the last addition by the creator.

Although, source code and object code differ from each other, the copyright office views both of the code forms as equal for registration purposes – maintaining the notion that the source code and object code are just two distinct forms of the same copyrighted program.

Copyright ownership refers to a collection of rights that gives the creator an exclusive right to use the original creation like a song, literary work, movie, or software. It means that the original authors of works and the people/company to whom they have given authorization to are the only ones having exclusive right to reproduce the creation.

Recently, a company director applied for copyrights for his PHP and python program. However, to his surprise, the Indian copyright office started asking for an executable file. It’s a well-known fact that PHP code used in websites does not have an executable file, hence there was no possible way that the director could have provided the executable file for his PHP program. The question still remains how the officials at the Indian copyright office are not aware of the fact that there is no executable file for website code, moreover, why do they even require it in the first place?

In India, the Copyright Act, 1957 grants protection to the Intellectual Property Rights (IPR) of computer software. As per the definition in the Indian Copyright Act, Computer programs are classified as ‘literary works’. Accordingly, the rights of computer software are protected under the provisions of the Act.