Malicious Python Package Discovered

May 14 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that eats cybercriminals for breakfast β˜•πŸ³πŸ₯ž

Today’s hottest cybersecurity news stories:

  • 🐍 Python package hides Sliver C2 Framework πŸ“¦

  • πŸ’° Black Basta ransomware strikes 500 entities globally 🌎

  • πŸ“‘ Cinterion modems’ vulnerabilities are ticking time bomb πŸ’£

Python Slivers πŸ’€πŸ’€πŸ’€

🚨 Breaking News: Malicious Python Package Discovered! πŸπŸ”

Attention Python developers! A malicious Python package named requests-darwin-lite has been unearthed, masquerading as a variant of the popular requests library, but harbouring a sinister payloadβ€”a concealed Golang-version of the Sliver command-and-control (C2) framework tucked away within a PNG image of the project's logo. πŸ˜±πŸ–ΌοΈπŸ’»

Deceptive Tactics Unveiled! πŸ•΅οΈβ€β™‚οΈπŸ”

requests-darwin-lite, disguised as a legitimate fork of the requests package, cunningly embeds a malicious Go binary into an oversized version of the authentic requests sidebar PNG logo. This steganographic deception aims to evade detection while facilitating nefarious activities on compromised systems. 😈πŸ’₯

MacOS-Specific Threat! πŸπŸ”’

The package's setup.py file orchestrates a devious scheme, executing a Base64-encoded command to harvest the system's Universally Unique Identifier (UUID) but exclusively targeting Apple macOS devices, thus posing a grave risk to Mac users. πŸš«πŸ’»

Potential Targeted Attack! πŸŽ―πŸ›‘οΈ

The presence of a specific UUID match suggests a highly targeted attack or a preparatory phase for a broader campaign, underscoring the calculated nature of the threat actors behind this insidious scheme. πŸŽ―πŸ€”

Concealed Malware Unveiled! πŸ’£πŸ”

Beneath the innocuous facade lies the concealed Golang-based Sliver C2 framework, strategically hidden within an oversized PNG image. This covert payload poses a significant security risk, highlighting the pervasive threat posed by malware infiltrating open-source ecosystems. πŸŒπŸ›‘οΈ

Urgent Call to Action! πŸš¨πŸ”

Python developers are urged to exercise caution and vigilance while sourcing packages from repositories like PyPI, emphasising the critical need for robust supply chain security measures to thwart malicious actors' advances. By remaining informed and proactive, we can fortify our defences and safeguard against emerging threats. πŸ’ͺπŸ”’

Hackers: And I go Basta Black πŸŽΆπŸ‘€πŸ™ƒ

🚨 Black Basta Ransomware Targets Critical Infrastructure! πŸ’»πŸ”’

A coalition of cybersecurity agencies, including CISA, FBI, HHS, and MS-ISAC, has issued a stark warning about the insidious Black Basta ransomware-as-a-service (RaaS) operation, which has wreaked havoc on over 500 private industry and critical infrastructure entities across North America, Europe, and Australia since its emergence in April 2022. πŸ˜±πŸ’ΌπŸŒ

Sophisticated Tactics Unveiled! πŸ•΅οΈβ€β™‚οΈπŸ”

Black Basta employs common initial access techniques like phishing and exploiting known vulnerabilities before executing a double-extortion model, encrypting systems, and exfiltrating sensitive data. Unlike other ransomware groups, Black Basta's ransom notes eschew initial demands, instead providing victims with a unique code and directing them to contact the gang via a .onion URL. πŸ“§πŸ”’

Elevated Threat to Critical Sectors! βš οΈπŸ”

The threat actors have targeted at least 12 out of 16 critical infrastructure sectors, posing a grave risk to essential services and infrastructure. The ransomware's malicious activities have been linked to the utilisation of advanced tools and techniques, including the exploitation of known security flaws and the deployment of a diverse arsenal of attack vectors. πŸ’ΌπŸ’₯πŸ”“

Ransomware Landscape in Flux! πŸ”„πŸ’°

As law enforcement intensifies efforts against ransomware operators like ALPHV and LockBit, the landscape undergoes a significant shift. While ransomware payments have declined, new threat actors and ransomware strains continue to emerge, demonstrating the dynamic nature of the ransomware ecosystem. Victims increasingly refuse to pay the demanded ransom amounts, with payment rates touching record lows. πŸ’°πŸ“‰πŸ”’

Call to Vigilance and Preparedness! πŸ›‘οΈπŸš¨

In light of these developments, organisations, especially those in critical sectors, are urged to bolster their cybersecurity defences, enhance threat intelligence sharing, and implement robust incident response protocols to mitigate the risk posed by ransomware attacks. By remaining vigilant and proactive, we can collectively combat the evolving threat landscape and safeguard our digital assets and infrastructure. πŸ’ͺπŸ”’

Visual-based newsletter on business and tech

We explain the latest business, finance, and tech news with visuals and data. πŸ“Š

All in one free newsletter that takes < 5 minutes to read. πŸ—ž

Save time and become more informed today.πŸ‘‡

It’s the Cinterion challenge 🍺🍺🍺

🚨 Critical Flaws Found in Cinterion Cellular Modems! πŸ’»πŸ”

Cybersecurity researchers have uncovered a series of severe security vulnerabilities in Cinterion cellular modems, originally developed by Gemalto and later acquired by Telit from Thales. These vulnerabilities, disclosed at OffensiveCon in Berlin, pose significant risks to communication networks and IoT devices across various sectors, including industrial, healthcare, automotive, financial, and telecommunications. πŸ“ΆπŸ’₯πŸ”“

Critical Flaws Unveiled! πŸ•΅οΈβ€β™‚οΈπŸ”

The list of eight vulnerabilities includes buffer overflow, privilege escalation, directory traversal, and exposure of sensitive information weaknesses. Of particular concern is CVE-2023-47610, a heap overflow flaw enabling remote attackers to execute arbitrary code via SMS messages, potentially compromising the integrity and security of the targeted systems. πŸ› οΈπŸ’£πŸ’Ό

Mitigation Measures Urged! πŸ›‘οΈπŸ”’

To mitigate these threats, organisations are advised to take immediate action, including disabling non-essential SMS messaging capabilities, implementing private Access Point Names (APNs), controlling physical access to devices, and conducting regular security audits and updates. These proactive measures are crucial in safeguarding critical infrastructure and IoT ecosystems against potential exploitation by threat actors. πŸ’ͺπŸ”

Collaborative Efforts Underway! πŸ€πŸ”

Security researchers Sergey Anufrienko and Alexander Kozlov, credited with discovering and reporting the flaws, have collaborated with Kaspersky ICS CERT to raise awareness and facilitate remediation efforts. Despite the challenges posed by the integration of modems within complex solutions, concerted action is essential to address these vulnerabilities and ensure the resilience of interconnected systems. πŸŒπŸ”

Stay Vigilant, Stay Secure! πŸ›‘οΈπŸ”’

As threats to cybersecurity continue to evolve, maintaining vigilance and adopting proactive security measures are paramount. By working together and remaining vigilant, we can effectively mitigate risks and safeguard our digital infrastructure against emerging threats. πŸ’»πŸ”

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles