#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Python | Breaking Cybersecurity News | The Hacker News

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

Jan 26, 2023 Threat Detection / Endpoint Security
Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of  WebSockets  to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix  said  in a report shared with The Hacker News. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it's being actively developed and maintained. The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver's license. Opening each of the .LNK files retrieves two text files from a remote server that a
Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

Jan 09, 2023 Network Security / Supply Chain
In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages, which were  discovered  by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code, as is  increasingly the case , is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. "These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain

Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain

Jan 05, 2023 Cyber Attack / Malware
A financially motivated threat actor tracked as  Blind Eagle  has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Check Point's  latest research  offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain. Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018. Blind Eagle's operations have been  documented  by Trend Micro in September 2021, when it described a spear-phishing campaign primarily aimed at Colombian entities that's designed to deliver a commodity malware known as  BitRAT , with a lesser focus towards targets in Ecuador, Spain, and Panama. Attack chains commence with phishing emails containing a booby-trapped link that, when
Researchers Uncover 29 Malicious PyPI Packages Targeted Developers with W4SP Stealer

Researchers Uncover 29 Malicious PyPI Packages Targeted Developers with W4SP Stealer

Nov 05, 2022
Cybersecurity researchers have uncovered 29 packages in Python Package Index (PyPI), the official third-party software repository for the Python programming language, that aim to infect developers' machines with a malware called W4SP Stealer . "The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22," software supply chain security company Phylum  said  in a report published this week. The list of offending packages is as follows: typesutil, typestring, sutiltype, duonet, fatnoob, strinfer, pydprotect, incrivelsim, twyne, pyptext, installpy, faq, colorwin, requests-httpx, colorsama, shaasigma, stringe, felpesviadinho, cypress, pystyte, pyslyte, pystyle, pyurllib, algorithmic, oiu, iao, curlapi, type-color, and pyhints. Collectively, the packages have been downloaded more than 5,700 times, with some of the libraries (e.g., twyne and colorsama) relying on typosquatting to trick unsuspecting users
15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

Sep 22, 2022
As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management. The shortcoming, tracked as  CVE-2007-4559  (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write. "The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz  said  in a writeup. Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwri
PyPI Repository Warns Python Project Maintainers About Ongoing Phishing Attacks

PyPI Repository Warns Python Project Maintainers About Ongoing Phishing Attacks

Aug 25, 2022
The Python Package Index, PyPI, on Wednesday sounded the alarm about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages. "This is the first known phishing attack against PyPI," the maintainers of the official third-party software repository  said  in a series of tweets. The social engineering attack entails sending security-themed messages that create a false sense of urgency by informing recipients that Google is implementing a mandatory validation process on all packages and that they need to click on a link to complete the validation before September, or risk getting their PyPI modules removed. Should an unsuspecting developer fall for the scheme, users are directed to a lookalike landing page that mimics PyPI's login page and is hosted on Google Sites, from where the entered credentials are captured and abused to unauthorizedly access the accounts and compromise the packages to include malware
10 Credential Stealing Python Libraries Found on PyPI Repository

10 Credential Stealing Python Libraries Found on PyPI Repository

Aug 09, 2022
In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens. The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point  said  in a Monday report. A short summary of the offending packages is below - Ascii2text , which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser Pyg-utils, Pymocks, and PyProto2 , which are designed to  steal users' AWS credentials Test-async and Zlibsrc , which download and execute malicious code during installation Free-net-vpn, Free-net-vpn2, and WINRPCexploit , which steal user credentials and environment variables, and Browserdiv , which are capable of coll
PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects

PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects

Jul 11, 2022
The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical." "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI)  said  in a tweet last week. "Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it  added . Additionally, the developers of critical projects who have not previously turned on 2FA on PyPi are being offered free hardware security keys from the Google Open Source Security Team. PyPI, which is run by the Python Software Foundation, houses more than 350,000 projects, of which over  3,500 projects  are said to be tagged with a "critical" designation. According to the repository maintainers, any project accounting for the top 1%
Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys

Jun 24, 2022
Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down. "Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma  said . The malicious code injected into "loglib-modules" and "pygrata-utils" allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata[.]com:8000/upload." Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secu
New Python-based Ransomware Targeting JupyterLab Web Notebooks

New Python-based Ransomware Targeting JupyterLab Web Notebooks

Mar 31, 2022
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security,  said  in a report. The new ransomware sample, which the cloud security firm detected after it was trapped in one of its honeypot servers, is said to have been executed after the unnamed adversary gained access to the server and downloaded the necessary tools required to carry out the encryption process by opening a terminal. Aqua Security characterized the attack as "simple and straightforward," unlike other traditional ransomware-as-a-service (RaaS) schemes, add
11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells

11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells

Nov 19, 2021
Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog — importantpackage / important-package pptest ipboards owlmoon DiscordSafety trrfab 10Cent10 / 10Cent11 yandex-yt yiffparty Two of the packages ("importantpackage," "10Cent10," and their variants) were found obtaining a reverse shell on a compromised machine, giving the attacker full control over the system. Two other packages "ipboards" and "trrfab" masqueraded as legitimate dependencies designed to be automatically imported by taking advantage of a technique called  dependency confusion  or namespace confusion. Unli
Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects

Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects

Oct 07, 2021
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code. The flaw, tracked as  CVE-2021-38305  (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the  issue  resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands. Yamale is a Python package that allows developers to validate YAML — a data serialization language often used for writing configuration files — from the command line. The package is used by at least  224 repositories  on GitHub.  "This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execut
PyPI Python Package Repository Patches Critical Supply Chain Flaw

PyPI Python Package Repository Patches Critical Supply Chain Flaw

Aug 02, 2021
The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were  discovered  and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the  Homebrew Cask repository  and Cloudflare's  CDNJS library . He was awarded a total of $3,000 as part of the bug bounty program. The list of three vulnerabilities is as follows - Vulnerability in Legacy Document Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control. Vulnerability in Role Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher
Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Jul 30, 2021
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe  said  Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like  pip  relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (upl
COVID-Themed Lures Target SCADA Sectors With Data Stealing Malware

COVID-Themed Lures Target SCADA Sectors With Data Stealing Malware

Apr 20, 2020
A new malware campaign has been found using coronavirus-themed lures to strike government and energy sectors in Azerbaijan with remote access trojans (RAT) capable of exfiltrating sensitive documents, keystrokes, passwords, and even images from the webcam. The targeted attacks employ Microsoft Word documents as droppers to deploy a previously unknown Python-based RAT dubbed "PoetRAT" due to various references to sonnets by English playwright William Shakespeare. "The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation," said Cisco Talos in an analysis published last week. According to the researchers, the malware specifically targets supervisory control and data acquisition (SCADA) systems in the energy industry, such as wind turbine systems, whose identities are currently not known. The development is the latest in a surge in cyberattacks exploiting the ongoing coronavirus pandemi
Outlook for Web Bans 38 More File Extensions in Email Attachments

Outlook for Web Bans 38 More File Extensions in Email Attachments

Sep 26, 2019
Malware or computer virus can infect your computer in several different ways, but one of the most common methods of its delivery is through malicious file attachments over emails that execute the malware when you open them. Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file extensions that are blocked from being downloaded as attachments in Outlook on the Web. Previously known as Outlook Web Application or OWA, "Outlook on the Web" is Microsoft's web-based email client for users to access their emails, calendars, tasks and contacts from Microsoft's on-premises Exchange Server and cloud-based Exchange Online. The list of blocked file extensions currently has 104 entries, including .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh, and more. Now, the expanded block list will also include 38 new extensions
Learn Python Programming – 7 Courses Video Training Bundle

Learn Python Programming – 7 Courses Video Training Bundle

Jan 24, 2019
It's no secret that learning how to code is one of the most important things you can do when it comes to the beginning or furthering practically any career in programming and technology. The only problem a beginner often faces is that there are seemingly countless programming languages to choose from, which makes it exceedingly difficult for aspiring or even seasoned programmers to know which language to learn next. But if you haven't already learned Python, look no further. Python is no doubt one of the most powerful and popular programming languages on the planet, and the Complete Python Programming Bundle will teach you everything you need to know for more than 90% off at just $79. With seven modules led by expert instructors, this bundle walks you through everything from the fundamental aspects of Python to its most advanced tricks and tools. Whether you're just embarking on a career in coding and development, or you are a veteran programmer who wants to add
Python-Based Adware Evolves to Install Malicious Browser Extensions

Python-Based Adware Evolves to Install Malicious Browser Extensions

Jun 26, 2018
Security researchers have been warning of a few newly detected variants of python -based adware that are being distributed in the wild not only to inject ads but also found installing malicious browser extensions and hidden cryptocurrency miner into victims' computers. Dubbed PBot , or PythonBot , the adware was first uncovered more than a year ago, but since then the malware has evolved, as its authors have been trying different money-making schemes to profit themselves, according to researchers at Kaspersky Labs. The previous versions of the PBot malware were designed to perform man-in-the-browser (MITB) attacks to inject unwanted advertising scripts on web pages visited by the victim, but the newer variants have been found installing malicious ad extensions in the web browser. "Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation," Kaspersky researchers said in their blog post published today.
Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

Feb 21, 2017
This newly discovered bugs in Java and Python is a big deal today. The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses. And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures. The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don't syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw. Java/Python FTP Injection to Send Unauthorized SMTP Emails In a blog pos t published over the past week, security researcher Alexander Klink detailed the FTP protocol injection vulnerability in Java's XML eXternal Entity (XXE) that allows attackers to inject non-FTP malicious commands inside an FTP connection request. To demonst
Here's Top 10 Popular Programming Languages used on GitHub

Here's Top 10 Popular Programming Languages used on GitHub

Aug 21, 2015
Open Source is the Future of the computer science world! On Wednesday, the popular coding website GitHub shared a graph that gives a closer look at the popularity of different programming languages used on its code sharing website that lets anyone edit, store, and collaborate on software code. Since its launch in 2008, GitHub saw various programming languages picking up momentum, as shown in the graph below. An insight into what GitHub is… GitHub is a web-based repository that operates on the functionality of a 'Git,' which is strictly a command-line tool. With 10 Million users as of today, the platform has become the primary source of housing open source software that is free of cost available to the world at large. A look at the picture of programming trends on GitHub over recent years is actually a look at how the computer world is evolving. Top 10 Programming Languages Here are the Top 10 Programming Languages on GitHub today: JavaS
More Resources