Mar 29, 2024NewsroomSupply Chain Attack / Threat Intelligence

The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign.

It said “new project creation and new user registration” was temporarily halted to mitigate what it said was a “malware upload campaign.” The incident was resolved 10 hours later, on March 28, 2024, at 12:56 p.m. UTC.

Software supply chain security firm Checkmarx said the unidentified threat actors behind flooding the repository targeted developers with typosquatted versions of popular packages.

“This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.), and various credentials,” researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain said. “In addition, the malicious payload employed a persistence mechanism to survive reboots.”

The findings were also corroborated independently by Mend.io, which noted that it detected more than 100 malicious packages targeting machine learning (ML) libraries such as Pytorch, Matplotlib, and Selenium.

The development comes as open-source repositories are increasingly becoming an attack vector for threat actors to infiltrate enterprise environments.

Typosquatting is a well-documented attack technique in which adversaries upload packages with names closely resembling their legitimate counterparts (e.g., Matplotlib vs. Matplotlig or tensorflow vs. tensourflow) in order to trick unsuspecting users into downloading them.

These deceptive variants – totalling over 500 packages, per Check Point – have been found to be uploaded from a unique account starting March 26, 2024, suggesting that the whole process was automated.

“The decentralized nature of the uploads, with each package attributed to a different user, complicates efforts to cross-identify these malicious entries,” the Israeli cybersecurity company said.

Cybersecurity firm Phylum, which has also been tracking the same campaign, said the attackers published –

• 67 variations of requirements
• 38 variations of Matplotlib
• 36 variations of requests
• 35 variations of colorama
• 29 variations of tensorflow
• 28 variations of selenium
• 26 variations of BeautifulSoup
• 26 variations of PyTorch
• 20 variations of pillow
• 15 variations of asyncio

The packages, for their part, check if the installer’s operating system was Windows, and if so, proceed to download and execute an obfuscated payload retrieved from an actor-controlled domain (“funcaptcha[.]ru”).

The malware functions as a stealer, exfiltrating files, Discord tokens, as well as data from web browsers and cryptocurrency wallets to the same server. It further attempts to download a Python script (“hvnc.py”) to the Windows Startup folder for persistence.

The development once again illustrates the escalating risk posed by software supply chain attacks, making it crucial that developers scrutinize every third-party component to ensure that it safeguards against potential threats.

This is not the first time PyPI has resorted to such a measure. In May 2023, it temporarily disabled user sign-ups after finding that the “volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion.”

PyPI suspended new user registrations a second-time last year on December 27 for similar reasons. It was subsequently lifted on January 2, 2024.

Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT.

The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative control over affected servers.

“The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs),” Trend Micro said in a new report.

“Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims.”

Following public disclosure of the flaw earlier this month, it has been weaponized by threat actors associated with BianLian and Jasmin ransomware families, as well as to drop the XMRig cryptocurrency miner and Spark RAT.

Organizations relying on TeamCity for their CI/CD processes are recommended to update their software as soon as possible to safeguard against potential threats.

The development comes as ransomware continues to be both formidable and profitable, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer emerging in the wild, even as notorious cybercrime crews like LockBit are still accepting affiliates into their program despite law enforcement actions against them.

WinDestroyer, in particular, stands out for its ability to encrypt files and render targeted systems unusable with no means to recover the data, raising the possibility that the threat actors behind it are geopolitically motivated.

“One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time,” Cisco Talos said. “It’s going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs.”

Data shared by the U.S. Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) shows that 2,825 ransomware infections were reported in 2023, causing adjusted losses of more than $59.6 million. Of these, 1,193 came from organizations belonging to a critical infrastructure sector.

The top five ransomware variants impacting critical infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.

Besides offering a bigger chunk of the proceeds to court affiliates, the landscape is witnessing increased collaboration between different ransomware groups that share their malicious tooling with each other.

These partnerships also manifest in the form of ghost groups, in which one ransomware operation outsources its skills to another, as seen in the case of Zeon, LockBit, and Akira.

Broadcom-owned Symantec, in a report published last week, revealed that “ransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023.”

According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, up from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%).

“Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets,” Matt Hull, global head of threat intelligence at NCC Group, said.

“It appears that the attention drawn by the larger ‘brand’ ransomware, such as LockBit and Cl0p, is leading to new and small generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution could become harder, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement.”

This has also been complemented by threat actors finding novel ways to infect victims by mainly exploiting vulnerabilities in public-facing applications and evade detection, as well as refining their tactics by increasingly banking on legitimate software and living-off-the-land (LotL) techniques.

Also popular among ransomware attackers are utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.

“BYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level,” Sophos researchers Andreas Klopsch and Matt Wixey said in a report this month. “The sheer amount of known vulnerable drivers means that attackers have a wealth of options to choose from.”

Jan 15, 2024NewsroomServer Security / Cyber Attack

The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.

This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week.

“This surge in cyber attacks coincided with COP 28, which ran from November 30th to December 12th, 2023,” security researchers Omer Yoachimik and Jorge Pacheco said, describing it as a “disturbing trend in the cyber threat landscape.”

The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements.

“This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingly becoming a focal point for attackers in the digital age,” the researchers said.

Despite the environmental services sector becoming a new target in Q4 2023, the cryptocurrency industry continues to be the primary casualty in terms of the volume of HTTP DDoS attack requests.

With more than 330 billion HTTP requests targeting it, the attack traffic represents more than 4% of all HTTP DDoS traffic for the quarter. Gaming and gambling and telecommunications emerged as the second and third most attacked industries.

On the other end of the spectrum are the U.S. and China, acting as the main sources of HTTP DDoS attack traffic. It’s worth noting that the U.S. has been the largest source of HTTP DDoS attacks for five consecutive quarters since Q4 2022.

“Together, China and the U.S. account for a little over a quarter of all HTTP DDoS attack traffic in the world,” the researchers said. “Brazil, Germany, Indonesia, and Argentina account for the next 25%.”

The development comes amid a heavy onslaught of DDoS attacks targeting Palestinian banking, information technology (IT), and internet platforms following the onset of the Israel-Hamas War and Israel’s counteroffensive codenamed Operation Iron Swords.

The percentage of DDoS attack traffic targeting Palestinian websites grew by 1,126% quarter-over-quarter, Cloudflare said, adding DDoS attack traffic targeting Taiwan registered a 3,370% growth amidst the Taiwanese presidential elections and rising tensions with China.

Akamai, which also published its own retrospective on DDoS Trends in 2023, said “DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event).”

The findings also follow a report from Cloudflare about the increasing threat posed by unmanaged or unsecured API endpoints, which could enable threat actors to exfiltrate potentially sensitive information.

“HTTP anomalies — the most frequent threat toward APIs — are common signals of malicious API requests,” the company said. “More than half (51.6%) of traffic errors from API origins comprised ‘429’ error codes: ‘Too Many Requests.'”