Hackers distributing malicious Python packages via popular developer Q&A platform
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .
PyPI was a prime target this past week, with hackers distributing malicious packages on a popular developer Q&A platform. Bad actors also placed a malicious Python package that steals Discord and browser data containing personal identifiable information (PII).?
This Week’s Top Story
Hackers distributing malicious Python packages via popular developer Q&A platform?
Python continues to remain a popular destination for threat actors to hide their malware. In this instance, discovered by researchers at Checkmarx, attackers were spotted marketing bogus PyPI packages to developers on Stack Exchange, a popular Q&A platform for engineers to discuss the job sector. The campaign launched on June 25, 2024, with malicious packages titled raydium , raydium-sdk , sol-instruct , sol-structs , and spl-types , culminating in a total download count of 2,082. It also appears to have a financial motivation, as attackers accessed and drained cryptocurrency wallets, specifically those dealing with raydium and solana.
The attack sequence started on Stack Exchange, with the threat actor posting their packages in response to a query about swapping cryptocurrency via Python. The threat actors chose this query as it lived on a thread with high visibility, which increased the chances of the packages’ widespread adoption, in addition to maximizing the threat actors’ credibility.
Once a user downloads the package, raydium or raydium-sdk, it deploys the dependency, sol-structs or spl-types, which act as a springboard for the next stage of malware. This stage of malware is a full-fledged information stealer that has a broad scope. According to Checkmarx’s report , the stealer looked for and mined “an array of sensitive information” including browser information (passwords, credit card information, cookies), cryptocurrency wallets, and data from messaging apps (Telegram, Signal, Spectrum).?
In addition to the theft of personal and financial information, attackers also used the malware to take a screenshot of the victim’s systems, and hunted for files containing keywords associated with Github recovery codes and BitLocker codes. Attackers would then export all of the gathered data to their attacker’s command and control?(C2) server – two Telegram bots. Perhaps most concerning is that in the background of these malicious actions, the malware is also deploying a backdoor that allows for further exploits.?
The packages are no longer available on PyPI nor on Stack Exchange, but it most likely will not be the last time threat researchers find malicious actors leveraging developer-focused applications in their campaigns – and this certainly isn’t the first. In March of this year, RL researchers discovered a very similar campaign that used PyPI packages to recover stolen crypto wallets . Additionally, the researchers identified a malicious package just 10 days ago, python-guild , that’s a part of the campaign originally discovered by Checkmarx. (The Hacker News )
This Week’s Headlines
New PyPI package Zlibxjson steals Discord, browser data
A malicious package has been found on the PyPI repository, named zlibxjson (v 8.2). Once deployed, the package attempts to download multiple files, including a PyInstaller-packed executable (.exe), which contained several Python and DLL files. Within these files was Discord_token_grabber.py that extracted tokens from local files on Discord, then decrypted them if necessary, before validating them through Discord’s API. This process allowed access to user accounts without authorization, resulting in the exposure of PII. Meanwhile, get_cookies.py would collect data from web browser cookies and password_grabber.py would extract and decrypt passwords saved on browsers.?
RL threat researchers discovered this malicious package about a month ago, and the threat report for zlibxjson can be found on secure.software . (Infosecurity Magazine )
NVD backlog continues to grow
New estimates report that the National Vulnerability Database (NVD) backlog could grow to upwards of 30,000 unanalyzed vulnerabilities by the end of the year, with the current backlog sitting at 16,974 vulnerabilities. The National Institute of Standards and Technology (NIST), which manages the NVD, would need to analyze vulnerabilities at a rate of 217 per day to prevent anymore build-up and clear the existing backlog. Clearing the backlog is critical, because many cybersecurity professionals depend on the NVD to determine what software has been affected by a vulnerability. The NVD also helps practitioners prioritize which flaws need immediate patching. Unfortunately, it appears unlikely that NIST will achieve the needed rate to clear the backlog, especially if they do not receive more resources. (Dark Reading )
Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
A vulnerability found within the VMware ESXi hypervisor, CVE-2024-37085, carries only a 6.8 CVSS rating, but attackers love it, including many of the world's most high-profile ransomware groups. CVE-2024-37085 allows attackers to create active directory (AD) groups – which isn't necessarily an AD admin – to gain full control of an ESXi hypervisor. Full control is granted via a simple logic flaw in ESXi: If an attacker adds an AD group called “ESX Admins,” any user within the group would by default be considered an admin, and gain admin access. Such access lends the attacker the ability to steal data, move laterally across the victim's network, or just cause chaos by ending processes and encrypting the file system. Attackers can also gain admin access by escalating the privileges of another AD group, so long as “ESX Admins” does not exist. It is advised users of ESXi update to the newest version as soon as possible. (The Register )
领英推荐
5 recommendations for acing the SEC cybersecurity rules
Rules implemented in 2023 by the U.S. Securities and Exchange Commission (SEC) regarding risk management, strategy, governance, and cybersecurity incident disclosure have raised important considerations for security leaders at public companies. However, managing such regulations in a complex cybersecurity landscape can be challenging. This CSO article shares five recommendations on how companies can best abide by these regulations. They are:
For more details on these recommendations, and what exactly the SEC’s requirements are, see the full article. (CSO Online )
Airlines are flying blind on third-party risks
A report by Security Scorecard gave the aviation industry a B letter-grade on their cybersecurity report card. While not a failing grade, B-rated industries are 2.9x more likely to be a victim of a cyber attack compared to their A-rated counterparts. This score comes after aviation reported 4% more breaches than the industry benchmark, with many of them being the result of compromises of third-parties. There are hopes, however, that new cybersecurity requirements for the aviation sector could help in limiting these breaches and enhancing security overall. (Help Net Security )
Can you trust commercial software? Tackle third-party risk
Despite best efforts from regulators to hold software publishers accountable in order to secure the software supply chain, enterprise buyers continue to face financial, operational, and reputational impacts from successful attacks against their third-party vendors. To mitigate such attacks, buyers should adopt vendor security questionnaires, require SBOMs, use security rating services, and conduct pentesting. However, what is truly required is a solution that opens the black box of commercial software, rather than solutions that try to peer through the opacity. One such solution is complex binary analysis, a solution you can learn more about by reading this article written by RL’s Charlie Jones . (Security Info Watch )
Looking for more insights on software supply chain security? Head to the RL Blog .
Resource Round-up
Free Ebook I Software Supply Chain Security for Dummies
Software supply chain security (SSCS) risk is real and growing. But now there’s a new book to help you out. Software Supply Chain Security for Dummies is an essential guide that breaks down all-things SSCS, offering practical steps to safeguard your systems. Whether you’re a CISO, a security professional, or part of a development team, this new guide provides invaluable insights and practical advice to elevate your security posture. [Download Here ]
Webinar I Black Hat 2024 Recap
Not everything that happens in Vegas has to stay in Vegas. From Black Hat to DEFCON - there is a lot to unpack from one of the biggest weeks in cybersecurity and we want to talk about it! We are excited to bring back authors and industry experts, Chris H. and Derek Fisher to discuss their perspectives on this year’s events including what’s changed since last year, the latest trends, and top takeaways. [Register Here ]
On Demand I Insights from the Gartner? Leader’s Guide to Software Supply Chain Security
The latest Gartner? Report, "Leader’s Guide to Software Supply Chain Security" offers critical findings and strategies that enterprises need to secure their software supply chains. Watch ReversingLabs’ Chief Trust Officer Sa?a Zdjelar and VP of Product Marketing Dan Petrillo to learn how to implement these key strategies. [Watch Here ]
Looking for more great conversations to watch? See RL’s on-demand webinar library .