Python Under Attack with 90 Zero-Day Exploits
May 16th, 2023 |
Security researchers have recently uncovered 30 new zero-day exploits in addition to the 60 previous exploits in Python discovered in late March 2023. These Zero-Day exploits take advantage of malicious links and code embedded into a significant number of Python libraries that download and run malware upon execution.
A strain of Python malware known as KEKW is actively taking advantage of these vulnerabilities and has gained notoriety due to its stealthy methods. At this time KEKW is primarily targeting supply chains.
KEKW is a type of Python malware that tricks developers into unknowingly incorporating malicious code into their projects. It does this by disguising itself as legitimate Python packages or creating imposter packages that look like popular libraries. The malware takes advantage of various distribution channels to disseminate.
One method is typosquatting, where the malware authors create packages with names that are similar to well-known libraries. This tricks developers into unintentionally downloading and integrating the malware into their applications.
KEKW then injects harmful code into essential systems which results in severe consequences. This includes disrupting production processes, breaching sensitive data, and compromising product quality. The malware is even capable of hijacking cryptocurrency transactions. This puts organizations at risk of creating sub-par and even unsafe products, as well as financial loss and reputational damage.
The impact of these attacks extends beyond the initial victim. Once the software is compromised, the malware can spread laterally to other interconnected organizations and systems, perpetuating the attack throughout the entire supply chain. This underscores the urgent need for comprehensive security measures.
Acreto provides a comprehensive security solution that addresses supply chain attack techniques. Here’s how Acreto’s solution can help:
Ecosystems: Acreto’s Ecosystems deliver a dedicated security infrastructure that can be deployed per application, project, or third-party. This means that each ecosystem can be isolated, limiting access only to users, devices, systems, and applications that need to interoperate together. By segmenting the ecosystems, Acreto prevents the spread of malware within the supply chain.
Eliminate the Internet Attack Surface: Acreto’s solution eliminates any and all access from the Internet while allowing Ecosystem members to interoperate with authorized systems and applications. This helps prevent the download and integration of malicious packages disguised as legitimate Python libraries or imposter packages.
Micro-Segmentation and Nano-Segmentation: Acreto’s solution enables micro-segmentation and nano-segmentation, allowing individual or groups of systems to be isolated on shared networks. This limits access only to systems that need to interoperate together, preventing the spread of malware within the supply chain.
Encrypted Secure Scan: Acreto’s Secure Scan addresses the challenge of securing encrypted communications. It decrypts, scans, and re-encrypts communications inline and in real-time, blocking any malicious content embedded in the encrypted payload. This helps detect and prevent the spread of malware within the supply chain, even if it is hidden within encrypted communications.
Access Control: Acreto provides access control mechanisms based on user identity and device identity. This ensures that only authorized users and devices are allowed to join the Ecosystem. By controlling network protocols, ports, application protocols, and application programs, Acreto prevents unauthorized communication and restrict the spread of malware.
Threat Prevention: Acreto’s solution includes threat prevention capabilities that utilize threat signatures and zero-day behavioral analysis. This helps identify and mitigate known exploits, malware, botnets, and ransomware. By inspecting all communications and analyzing system behavior, Acreto detects and prevent threats within the supply chain.
Organizations can enhance their security posture, mitigate the risk of supply chain attacks, and protect their manufacturing processes, and sensitive data. Acreto’s approach of isolating ecosystems, eliminating attack surfaces, and implementing access controls helps prevent the spread of malware and provides a robust defense against supply chain attacks in Python-based software repositories.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystem Security Isolation
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Encrypted Secure Scan
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Mechanism of Attack
Security Researchers discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open source ecosystem.
The packages in the following set were found to be similar:
tls-bypass (version 1.0)
zproxy (version 1.0)
stripe-client (version 1.0)
stripepy (version 1.0)
proxycpz (version 1.0)
pycolorstrex (version 1.0)
pyproxyx (version 1.0)
colored-fidget (version 1.0)
The setup.py file in these packages tries to execute a Python script written to connect to a URL that may contain malicious code.
2. The next set of packages includes:
ailzyn1tr0 (version 1.0)
oauth20-api (version 1.0)
bogdi (version 1.0)
The setup.py file in these packages tries to steal information, such as credit cards, wallets, account logins, etc. using a Discord webhook.
. 3. This set includes the following package:
async-box (version 1.4.7)
The setup.py file in this package tries to download a zip file to a directory (depending on the Python version), extract its contents, run a script contained in the zip file, and then remove its directory.
4. This set includes the following package:
seleniumunclickable (version 1.0.1)
The setup.py file in this package connects to a URL to download and run a potentially malicious script.
5. This set includes the following package:
pyobfexecute (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5)
Its setup.py file tries to execute the encoded data
6. The packages in this set include:
compilecls (versions 1.0.2, 1.0.3)
randgenlib (version 1.0.2)
pipcoloringlibary (version 1.0.0)
pipcoloringliberyV2 (version 1.0.0)
pythoncolourlibraryV1 (version 1.0.0)
Similar to set two, these packages tr yto steal sensitive information such as wallets, login information, cookies, etc., using a webhook.
7. Package seven includes:
aietelegram (version 0.3)
social-scapper (version 3.6)
quick-telegram-sender (version 0.7)
libidreq (version 0.1)
setnetwork (version 0.3)
tg-bulk-sender (version 2.3)
social-scrappers (version 2.3)
tiktok-phone-cheker (version 2.42)
cloud-client (version 1.34)
cloudfix (versions 0.0.0, 2)
When examining its setup.py, it was found that it tries to run the encoded data shown below. Once decoded, it creates and runs an executable file that accesses and exfiltrates sensitive data.
8. This set includes the following package:
roblopython (version 2.0.15)
This package’s setup.py file reveals the execution of encoded data, as shown in Figure 11. Once decoded, it tries to retrieve potentially malicious data—most likely an executable from a URL—to write to a file, which it then tries to run.
9. This set includes the following package:
pycalculate (version 1.0.0)
This package contains multiple layers of obfuscation in its setup.py file. While it could not fully run, it still dropped a script named ‘WindowsDefender.py,’ which provides clues that it will execute a potentially malicious script that it retrieved from a file-sharing website.
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.