Search This Blog

Showing posts with label python. Show all posts

New Malware Variant Employs Windows Subsystem for Linux for Attacks

 

Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected. 

Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux's binary ELF (Executable and Linkable) format. 

The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced. 

Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian. 

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told. 

Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected. 

One of the alternatives, written in Python 3 entirely, doesn't even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries. 

In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products. 

The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets. 

Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.

Malevolent PyPI Packages Detected Filching Developer Data

 

Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy. 

Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline. 

Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack. 

The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware. 

PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source. 

Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim. 

PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim. 

"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers." 

Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.

Python: Affected by Critical IP Address Validation Vulnerability

 

The critical IP address validation vulnerability in the Python standard library ipaddress is similar to the bug that was discovered in the "netmask" library earlier this year. The researchers who discovered the crucial flaw in netmask also found the same flaw in this Python module and named it the CVE-2021-29921 identifier. 

BleepingComputer first posted on a crucial IP validation flaw in the netmask library, which is used by thousands of applications, in March. The vulnerability tracked as CVE-2021-28918 (Critical), CVE-2021-29418 (Medium), and CVE-2021-29424 (High), was found in both the npm and Perl versions of netmask, as well as some other related libraries.

According to Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler, the ipaddress standard library implemented in Python 3.3 is also affected by this vulnerability. The bug, labeled CVE-2021-29921, affects the ipaddress standard library's inappropriate parsing of IP addresses. The ipaddress module in Python enables developers to quickly construct IP addresses, networks, and interfaces, as well as parse and normalize IP addresses in various formats. 

An IPv4 address can be expressed in a number of ways, including decimal, integer, octal, and hexadecimal, though decimal is the most common. The IPv4 address of BleepingComputer, for example, is 104.20.59.209 in decimal format, but it can also be expressed in the octal format as 0150.0024.0073.0321. When typed 0127.0.0.1/ into Chrome's address bar, the browser treats the entire string as an IP address in octal format, according to BleepingComputer's tests. 

The IP address switches to its decimal equivalent of 87.0.0.1 when you press enter or return, which is how most applications are expected to handle ambiguous IP addresses. The fact that 127.0.0.1 is a loopback address rather than a public IP address is noteworthy; however, its ambiguous representation converts it to a public IP address that points to a different host entirely. 

Sections of an IPv4 address can be interpreted as octal if prefixed with a "0," according to the IETF's original specification for ambiguous IP addresses. Any leading zeros in the Python standard library ipaddress, on the other hand, will be stripped and discarded. Researchers Sick Codes and Victor Viale demonstrated that Python's ipaddress library can simply discard any leading zeroes in a proof-of-concept test. In other words, '010.8.8.8' will be treated as '10.8.8.8' by Python's ipaddress module, rather than '8.8.8.8'. 

"Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate [Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks] on many programs that rely on Python stdlib IP address," stated the researchers. 

A discussion had shortly followed among Python maintainers as to the reasons behind this commit, and practical reasons for introducing this change when it came to handling ambiguous IP addresses. Although discussions about an upcoming patch are ongoing, exact details on what version of Python will it contain are fuzzy. 

On the other hand, one of the Python maintainers Victor Stinner said: "Passing IPv4 addresses with leading zeros is rare. You don't have to change the [sic] IP address for that, you can pre-process your inputs: it works on any Python version with or without the patch," suggesting an alternative solution to the issue.

Python Package Index Removed 3,653 Noxious Packages after a Vulnerability

 


The Python Package Index, otherwise called PyPI, has eliminated 3,653 noxious packages uploaded days after a security vulnerability in the utilization of private and public registries was highlighted. The Python Package Index is the official third-party software repository for Python. It is analogous to CPAN, the repository for Perl. Some package managers, including pip, use PyPI as the default source for packages and their dependencies. More than 235,000 Python packages can be accessed through PyPI. 

Python developers use PyPI to add software libraries composed by different developers in their own ventures. Other programming languages implement similar package management systems, all of which request some degree of trust. Developers are frequently encouraged to audit any code they import from an external library however that advice isn't constantly followed. Package management systems like npm, PyPI, and RubyGems have all had to eliminate sabotaged packages as of recent years. Malware creators have discovered that in the event that they can get their code included in well-known libraries or applications, they get free dissemination and trust they haven't acquired. 

A month ago, security researcher Alex Birsan showed that it is so easy to exploit these systems through a type of typosquatting that misused the interplay between public and private package registries. The downpour of vindictive Python packages over the previous week included unauthorized versions of projects like CuPy, an implementation of NumPy-compatible multi-dimensional array on CUDA, Nvidia's parallel computing platform. 

In a GitHub issued post, Kenichi Maehashi, a project maintainer, relates how cupy-cuda112 (CuPy worked for CUDA 11.2) was uploaded on February 25, 2021, then detected and eliminated a day later. Python has a policy for managing such a thing. On Monday, Ee W. Durbin III, director of infrastructure at the Python Foundation, said the large number of culpable packages had been taken out but expressed hesitance to boycott the account responsible because the account holder could simply register for another account. 

The name utilized by the malware writer, "RemindSupplyChainRisks," gives off an impression of being an attempt to call attention to an aspect of software distribution that most developers already understand is fraught with potential problems.

PoetRAT Targeting Public and Private Sector in Azerbaijan

 



APT groups have been targeting the public sector and other major organizations in Azerbaijan via recent versions of PoetRAT. Notably, the threat actor has advanced from Python to Lua script and makes use of Word documents to deploy malicious software.
 
PoetRAT was first discovered by Cisco Talos, it was being distributed using URLs that falsely appeared as Azerbaijan’s government domains, giving researchers a reason to believe that the adversaries intended to target citizens of the Eurasian country, Azerbaijan. The threat actors also attacked private organizations in the SCADA sector such as ‘wind turbine systems’. However, the recent campaigns that unfolded in the months of September and October were targeted towards the public sector and VIPs. In later updated versions, the operators worked out a new exfiltration protocol to cover their activities and avoid being caught. 
 
Written in Python and split into various parts, the malware provides full control of the infected system to the operation. It gathers documents, pictures from the webcam, and even passwords, employing other tools. In an attempt to improve their operational security (OpSec), the attacker replaces protocol and performs reconnaissance on infected machines. 
 
Over the past months, the developers of the malware have continuously evolved their strategies to penetrate into more sophisticated targets. The campaign demonstrates how the attackers manually pushed additional tools like keyloggers when required onto the infected machines. To name a few more, camera control applications, generic password stealers, and browser- focused password stealers. Besides malware campaigns, the operators also employed the same infrastructure to perform a phishing campaign wherein the phishing website impersonates the webmail of Azerbaijan’s Government.
 
Other instances when Azerbaijan grappled with cyberattacks include a data breach faced by the Azeri Navy sailors. The hacked data belonged to 18,872 sailors of the Azerbaijan Navy which included their full names, DOB, passport numbers, and expiry dates. In another attack, a U.K based live flight tracking service underwent DDoS attacks that temporarily halted its services, the attack is alleged to be having links with the ongoing geopolitical conflicts in Azerbaijan.

Indian Copyright Office Asks for Executable File for Website Code?


India copyright office grants a series of rights to the developer of a computer program that protects his original creation legally. Under the Copyright Act, computer programming codes can be registered as ‘literary works’. As the program is safeguarded by copyrights, each subsequent modification or addition to the code containing sufficient originality will also be protected under the law. Generally, a computer program is preserved not by just one copyright but by a set of copyrights beginning from the first source code written till the last addition by the creator.

Although, source code and object code differ from each other, the copyright office views both of the code forms as equal for registration purposes – maintaining the notion that the source code and object code are just two distinct forms of the same copyrighted program.

Copyright ownership refers to a collection of rights that gives the creator an exclusive right to use the original creation like a song, literary work, movie, or software. It means that the original authors of works and the people/company to whom they have given authorization to are the only ones having exclusive right to reproduce the creation.

Recently, a company director applied for copyrights for his PHP and python program. However, to his surprise, the Indian copyright office started asking for an executable file. It’s a well-known fact that PHP code used in websites does not have an executable file, hence there was no possible way that the director could have provided the executable file for his PHP program. The question still remains how the officials at the Indian copyright office are not aware of the fact that there is no executable file for website code, moreover, why do they even require it in the first place?

In India, the Copyright Act, 1957 grants protection to the Intellectual Property Rights (IPR) of computer software. As per the definition in the Indian Copyright Act, Computer programs are classified as ‘literary works’. Accordingly, the rights of computer software are protected under the provisions of the Act.