Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Stealer. Show all posts

Info Stealer Identified in a PyPI Package

 

GitHub user duxinglin1 has identified three PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' using a malicious dependency, 'request,' 

Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled 'request' dependency, rather than the authentic 'requests' library. CVEs assigned to the susceptible versions include: 

• CVE-2022-30877 - 'keep' version 1.2 contains the backdoor 'request', 
• CVE-2022-30882 - 'pyanxdns' version 0.2 impacted 
• CVE-2022-31313 - 'api-res-py' version 0.1 impacted 

According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with 'pyanxdns' and 'api-res-py' as they are small-scale projects. 

Two years back in 2020, Tencent Onion Anti-Intrusion System unearthed a malicious typosquat 'request' uploaded to the PyPI registry which copied the requests HTTP library but surprisingly dropped malicious info-stealers. 

"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” duxinglin1 explained. The malicious backdoor inside the counterfeit 'request' includes a base64-encoded URL to the 'check.so'. 

The file 'check.so' is loaded with a Remote Access Trojan (RAT), while 'x.pyx' contains data theft malware that exfiltrates cookies and private data from web browsers like Chrome, Firefox, Yandex, Brave, and others. Subsequently, the hackers with access to user credentials attempt to exploit other accounts employed by the developer, potentially leading to additional supply-chain attacks. 

When Bleeping Computer contacted the developers of each of these packages to identify whether this was due to a simple typographical error, or hijacking of maintainer accounts. The author of 'pyanxdns', Marky Egebäck, confirmed this was a result of a typographical error rather than an account compromise. 

Additionally, it appears that the developers of the other two packages also introduced 'request' rather than the legitimate 'requests' due to an innocent typing error. 

"Sorry to say by a simple typo in the setup.py file since git history shows that this was added when the install requires was added by me. This was [an] honest mistake based on a typo in the setup.py. I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he has promoted this but the purpose was mainly for personal use in [an] internal docker project," stated Egebäck.

QNAP : New Crypto-Miner Targeting the NAS Devices

 

A new variant of crypto-mining malware is affecting QNAP's network-attached storage (NAS) devices, as per a new security advisory posted by the Taiwanese hardware firm QNAP. 

The firm did not reveal how the devices were infected, but it did state that once the malware had established a grip on affected systems, it would build a process called [oom reaper] that would consume about 50% of the CPU's entire use. 

QNAP stated, “This process mimics a kernel process but its PID is usually greater than 1000.” 

While the infections are being examined, QNAP advised customers to protect themselves by updating their devices' operating systems (known as QTS or QuTS) and all QNAP add-on software. Furthermore, the business advised users to change all of their NAS account passwords because it was unclear whether the attackers leveraged a vulnerability or just brute-forced an internet-connected device that used a weak password. 

QNAP advised customers to reboot their devices and download and install the company's "Malware Remover" tool from the device's built-in App Center to eliminate the infection. The company's advisory provides step-by-step instructions on how to complete all three procedures above. 

Malware attacks on QNAP systems in the past 

However, in retrospect, the Taiwanese corporation is being utilized by malware gangs to attack its devices. Ransomware strains such as Muhstik, Qlocker, eCh0raix, and AgeLocker have all targeted QNAP devices in recent years, with hackers obtaining access to client NAS systems, encrypting data, and then demanding minor ransom payments. 

Crypto-mining malware has been uncommon, however, it has been seen in the past. QNAP NAS devices were targeted by the Dovecat crypto-mining malware in late 2020 and early 2021, which exploited weak passwords to gain access to QNAP systems. In 2019 and 2020, the QSnatch malware targeted the company's NAS devices, infecting roughly 62,000 systems by mid-June 2020, as per CISA and the UK NCSC. 

QSnatch did not have crypto-mining functionality, but it did have an SSH password stealer and exfiltration capabilities, which were the primary reasons that national cybersecurity agencies in the United States, the United Kingdom, Finland, and Germany became involved and issued national alerts about the botnet's operations.