Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials.
The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over

Vulnerability / Cloud Security

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials.

The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over SSH.

While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021.

The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said.

"Fabrice" is designed to carry out its malicious actions based on the operating system on which it's installed. On Linux machines, it uses a specific function to download, decode, and execute four different shell scripts from an external server ("89.44.9\[.\]227").

On systems running Windows, two different payloads – a Visual Basic Script ("p.vbs") and a Python script – are extracted and executed, with the former running a hidden Python script ("d.py") stored in the Downloads folder.

"This VBScript functions as a launcher, allowing the Python script to execute commands or initiate further payloads as designed by the attacker," security researchers Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta said.

The other Python script is designed to download a malicious executable from the same remote server, save it as "chrome.exe" in the Downloads folder, set up persistence using scheduled tasks to run the binary every 15 minutes, and finally delete the "d.py" file.

The end goal of the package, regardless of the operating system, appears to be credential theft, gathering AWS access and secret keys using the Boto3 AWS Software Development Kit (SDK) for Python and exfiltrating the information back to the server.

"By collecting AWS keys, the attacker gains access to potentially sensitive cloud resources," the researchers said. "The fabrice package represents a sophisticated typosquatting attack, crafted to impersonate the trusted fabric library and exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

Cisco has released security updates to address a maximum severity security flaw impacting Ultra-Reliable Wireless Backhaul (URWB) Access Points that could permit unauthenticated, remote attackers to run commands with elevated privileges.
Tracked as CVE-2024-20418 (CVS score: 10.0), the vulnerability has been described as stemming from a lack of input validation to the web-based management

Vulnerability / Wireless Technology

Cisco has released security updates to address a maximum severity security flaw impacting Ultra-Reliable Wireless Backhaul (URWB) Access Points that could permit unauthenticated, remote attackers to run commands with elevated privileges.

Tracked as **CVE-2024-20418** (CVS score: 10.0), the vulnerability has been described as stemming from a lack of input validation to the web-based management interface of the Cisco Unified Industrial Wireless Software.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," Cisco said in an advisory released Wednesday.

"A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device."

The shortcoming impacts following Cisco products in scenarios where the URWB operating mode is enabled -

*   Catalyst IW9165D Heavy Duty Access Points
*   Catalyst IW9165E Rugged Access Points and Wireless Clients
*   Catalyst IW9167E Heavy Duty Access Points

The networking equipment maker emphasized that products that are not operating in URWB mode are not affected by CVE-2024-20418. It said the vulnerability was discovered during internal security testing.

It has been addressed in Cisco Unified Industrial Wireless Software version 17.15.1. Users who are on versions 17.14 and earlier are recommended to migrate to a fixed release.

Cisco makes no mention of the flaw being actively exploited in the wild. That said, it's essential that users move quickly to apply the latest patches to secure against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems

The company comes out of stealth with a tool that integrates directly into the developer's IDE to find flaws, offer remediation advice, and training materials to write secure code.

Source: Kirbyphoto via iStock Photo

The concept of shift left, or integrating security earlier in the software development life cycle, is important for application security, but it can be difficult to achieve. Developers need to take on some security responsibilities, but that means they need to be properly equipped with integrated security tools that fit their workflows.

This is the issue that Symbiotic Security, which launched this week, is tackling with its software-as-a-service platform, which integrates vulnerability detection and remediation capabilities directly into the application developer's integrated development environment (IDE). The platform also provides just-in-time training to developers so that they have the information on how to write secure code.

"Using Symbiotic is like having a personal security coach right next to you as you code," says Jerome Robert, co-founder and CEO of Symbiotic Security. "It provides real-time feedback on the security mistakes you're making, and it's training you so you don't repeat these mistakes."

The plug-in in the developer's IDE continuously scans code — as the developer types as well as the code that has already been written — and identifies potential security threats. The developer gets contextual remediation advice right in the IDE.

"Our security nudges are perceived as coaching," Robert says. "It's a tool that'll make them save time by not having to come back to fix old code."

Developers can also access the training materials — in the form of capture-the-flag (CTF) content — to learn what the problem is and why it is a problem. They see examples of secure and vulnerable code and are presented with a snippet of insecure code to find and fix as part of a game to help improve secure coding skills.

The difference between Symbiotic Security's plug-in and other code security tools is where the issues are identified, Robert says. Many of the others catch mistakes after the code has been written, often during code commits or when integrated with the rest of the build.

"Nobody feels bad making a few mistakes here and there in a draft, and that's the mental state we want developers to be when we advise them on security," Robert says. "If we were at commit \[or, more commonly, in the CI\], we'd be basically flagging issues after a developer said, 'This is my final release, this code is good to go.'"

As part of the launch, Symbiotic Security also raised $3 million in seed funding from investors including Lerer Hippeau, Axeleo Capital, and Factorial Capital. Symbiotic Security said its product is currently deployed at eight companies.

**About the Author**

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Symbiotic Security Launches Scanning Tool to Help Fix Flaws in Code

When using the public cloud there are always challenges which need to be overcome. Organizations lose some of the control over how security is handled and who can access the elements which, in most cases, are the core of the company's business. Additionally, some of those elements are controlled by local laws and regulations.This is especially true in the Financial Services and Insurance Industry (FSI) where regulations are gradually increasing in scope. For example in the EU, the emerging Digital Operational Resiliency Act (DORA) now includes the protection and handling of data while it is ex

Secure cloud bursting: Leveraging confidential computing for peace of mind

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

Campaigns like Silver Fox and Void Arachne are deploying the framework, using social media and messaging platforms to lure in victims.

Source: RaymondAsiaPhotography via Alamy Stock Photo

Researchers are warning of an advanced malicious framework called Winos4.0 that's getting distributed in the installation tools, speed boosters, and optimization utilities for gaming applications.

The framework is rebuilt from Gh0strat with several modular components, each of them handling different functions; the framework has been deployed in several attack campaigns such as Silver Fox and Void Arachne.

"Winos4.0 is an advanced malicious framework that oﬀers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions," Fortinet FortiGuard Labs researchers stated.

The campaigns using this framework have been previously documented by Trend Micro and the KnownSec 404 Team and have been observed targeting Chinese-speaking users, leveraging SEO tactics, social media, and messaging platforms like Telegram to distribute the malware.

Once the victim runs the application, it retrieves a fake BMP file from the server ad59t82g\[.\]com. The file then extracts the DLL, which is responsible for setting up the execution environment, according to the researchers.

The attack chain involves multiple encrypted data and C2 communication to complete the injection of the malware.

"Threat campaigns leverage game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system," the Fortinet researchers added. Users should be wary of any new applications' source and only download software from reputable sources.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Chinese Gamers Targeted in Winos4.0 Framework Scam

Google Cloud will take a phased approach to make multifactor authentication mandatory for all users.

Source: Genius Studio via Adobe Stock Photo

In a bid to improve account security, Google will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. Currently, 70% of Google users have MFA enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users; it will not apply to general consumer Google accounts. The company will begin the first phase of a year-long implementation this month.

*   In Phase 1, Google Cloud administrators will receive information on how to prepare for the transition. Phase 1 will raise awareness and provide materials to help plan a rollout and conduct testing.
    
*   Phase 2, to begin in early 2025, will require all new users and existing Google Cloud users who use passwords for authentication to enable MFA on their accounts. The notifications and guidance will be displayed in Google Cloud Console, Firebase Console, gCloud, and other platforms.
    
*   Phase 3, at the end of 2025, will require users who federate authentication into Google Cloud to turn on MFA. Users can enable MFA with their primary identity providers before accessing Google Cloud — or add an extra layer of MFA through the Google account.
    

"Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users," the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design initiative. The shift to mandatory MFA is happening throughout the industry. In June, Amazon started requiring mandatory MFA for Amazon Web Services. Customers signing into the AWS Management Console with the root user of an AWS Organizations management account also had to start using MFA, which has since been extended to stand-alone accounts outside of AWS Organizations.

Mandatory MFA has also be adopted by Snowflake, which in July introduced an option to allow administrators to enforce mandatory MFA for all users. The following monty, Microsoft announced its rollout for Microsoft Azure. Microsoft's plan, similar to Google Cloud's, takes a phased approach. Phase 1 for Microsoft started last month, with MFA required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning early next year, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not foolproof.

"Mandatory MFA is necessary but not sufficient for enterprise security," says Jasson Casey, CEO of Beyond Identity. "This is because MFA is not created equal and doesn't offer the same level of security assurances."

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement. Threat actors are increasingly launching phishing operations that can bypass legacy MFA, which is why the National Institute of Standards and Technology and CISA have urged adopting phishing-resistant MFA.

Google Cloud to Enforce MFA on Accounts in 2025

The draft amendment also includes prison time for those who access systems to maliciously spy or intercept data.

Source: Simon Tilley via Alamy Stock Photo

Germany's Federal Ministry of Justice has drafted legislation that would protect security researchers who discover and report security flaws to vendors.

The draft eliminates criminal liability for people who choose to warn businesses, and ultimately the public, of cyber vulnerabilities. The proposed law amends an existing law that protects IT security researchers, companies, and hackers from punishment.

Certain criteria must be met for the act to be considered security research. The action must aim to identify a vulnerability or security risk in an IT system, and the researcher who discovers the flaw must have the intent of reporting the vulnerability to those responsible for addressing the issue. They should also only be accessing a system to identify a vulnerability.

The draft proposes a penalty of three to five months in prison for severe cases of malicious data spying and data interception that include criminal acts, acts motivated by profit, or those that result in substantial financial damage.

"Those who want to close IT security gaps deserve recognition — not a letter from the prosecutor," stated Marco Buschmann, the Federal Minister of Justice.

**About the Author**

German Law Could Protect Researchers Reporting Vulns

SANS's "2024 State of ICS.OT Cybersecurity report" highlights the most common types of attack vectors used against ICT/OT networks.

Attacks against industrial-control systems (ICS) and operational technology (OT) systems are increasing, as adversaries find weaknesses in IT networks that allow them to move into OT networks, according to a recent report from the SANS Institute.

The "State of ICS/OT Cybersecurity 2024" report is based on responses from cybersecurity professionals in various critical-infrastructure sectors. More non-ransomware incidents (74.4%) were reported than ransomware (11.7%) over the past year, according to the report.

Other initial attack vectors involved in OT/ICS incidents include compromising these systems by use of external remote services (23.7%) or Internet-accessible devices (23.7%), compromising employee workstations (20.3%) and removable media (20.3%), and a supply chain compromise (20.3%). It's worth noting that 18.6% of respondents said attackers attempted spear-phishing with an email attachment for the initial compromise.

Nearly one out of five (19%) of respondents reported one or more security incidents over the past year.

While only 12% of respondents reported being the targets of ransomware attacks in the past 12 months, the impact on the OT/ICS environment remains "potentially catastrophic," SANS said in the report. Of the organizations that reported a ransomware incident, 38% said only their IT network systems were impacted, while 28.6% said their OT/ICS networks were affected. Just 21% said both networks were impacted, and 38.1% said reliability and safety were compromised during those attacks.

"Although the overall trend \[of ransomware\] seems to have decreased, the impacts are still potentially catastrophic and should be considered for all ICS/OT-specific incident response programs," SANS said.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

Interpol disrupts 22,000 malicious IP addresses, 59 servers, 43 electronic devices, and arrests 41 suspected cybercriminals.

Source: Timon Schneider via Alamy Stock Photo

Operation Synergia II, an international law enforcement effort supported by the private cybersecurity sector, successfully dismantled a widespread cybercrime operation stretching from Hong Kong to Estonia, Interpol said this week.

Operation Synergia II was launched in April, with law enforcement collaborating with cybersecurity experts from Group-IB, Trend Micro, Kaspersky, and Team Cymru to track down thousands of servers used to commit cybercrimes involving phishing, infostealers, and ransomware attacks. Interpol discovered 30,000 malicious IP addresses and has already taken down 22,000, along with 59 servers.

Law enforcement across several countries contributed on-the-ground resources to perform house searches and seize electronics believed to support the cybercriminal operation — leading to the arrest of 41 people, with 65 others still under investigation, according to Interpol.

As part of the coordinated response, police in Hong Kong took down 1,037 servers, while in Mongolia police conducted 21 house searches and were able to identify 93 individuals believed to be linked to cybercrimes. Macau cops took 291 servers offline, and in Madagascar police tracked down 11 people linked to the servers and seized multiple devices. And in Estonia, authorities confisacted more than 80GB of server data, which is still being analyzed at Interpol.

"The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II," Neal Jetton, Interpol's director of the Cybercrime Directorate, said in a statement. "Together, we've not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Tag

#auth