Allurity has acquired Spanish multinational Aiuken Cybersecurity, as an important step in its journey to becoming Europe's leading cybersecurity provider. Aiuken brings an entire SOC platform spanning three continents, as well as its Cloud Security and SOC-as-a-Service platforms.

Aiuken Cybersecurity was founded in 2012 by former Telefónica executive Juan Miguel Velasco, who is currently the CEO and will continue to lead the company following this transaction. The company has achieved impressive growth and will continue its journey with Allurity as an accelerator.

According to Juan Miguel Velasco, CEO of Aiuken Cybersecurity, “We are proud to join forces with this flourishing European group that has big ambitions to have a long-term impact and drive our growth in the cybersecurity sector. We believe they will be truly valuable and contribute towards our continued rapid expansion with a shared vision to help organisations secure their digital assets via security solutions that combine the best of human and machine intelligence.”

Allurity CEO Frida Westerberg said: “I am delighted to welcome Aiuken to our growing group, consisting of best-in-class cybersecurity service providers in Europe. Aiuken is an important player in the south of Europe and several other countries in different parts of the world, enabling a true “follow the sun” model. Aiuken brings unique expertise, a scalable tech platform and high ambitions and we are committed to supporting them to reach their full potential. Together we have the common goal of fighting cybercrime and making the world a better place.”

This is the fourth company Allurity has acquired, following the purchases of Swedish companies Arctic Group, ID North and Pulsen IAM. Allurity will continue to add new companies to the group with the goal of improving data protection, reducing the significant cost of cyberattacks and contributing to improving talent and competence in the market.

This goal is fully aligned with the cybersecurity targets set by the EU, which is determined to support important business groups, as it seeks to build regional leaders and secure robust European competition.  

**About Aiuken Cybersecurity**

Aiuken Cybersecurity is a Spain-based international company that safeguards major corporations, telecommunications systems and critical infrastructure. The company offers a full suite of cutting-edge services: detecting, identifying and protecting against cybernetic threats, responding to incidents, and implementing and managing the very latest in 24/7 security technologies.

The company operates in seven countries – Spain, Morocco, Saudi Arabia, UAE, Chile, Côte d'Ivoire and Puerto Rico – and has over 300 clients and 120 employees.

https://www.aiuken.com/es

**About Allurity**

Allurity is a group of tech-enabled cybersecurity service providers, comprising best-in-class companies with a common purpose of enabling a safe digital world.

Allurity’s vision is to become the preferred partner of cybersecurity services in Europe. The group offers a full range of cybersecurity services, from proactive to reactive services and software, aimed at improving data protection and reducing the cost of cybercrime.

Allurity's growth strategy is backed by Trill Impact, a Swedish pioneering Impact House with the ambition to create powerful societal impact alongside competitive financial returns.

https://allurity.com/our-group-companies/

Allurity Acquires Spanish Multinational Aiuken Cybersecurity

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks 5G-Native Security Now Available on Microsoft Azure Private Multi-Access Edge Compute

By Deeba Ahmed
The malware campaign is ongoing and one of its targets was ICICI bank in India.
This is a post from HackRead.com Read the original post: Fake Banking Rewards Apps Install Info-stealing RAT on Android Phones

Microsoft 365 Defender Research Team has published its findings on a new version of a previously reported info-stealer Android malware, highlighting that threat actors continuously evolve their attack spectrum.

**Research Findings**

According to Microsoft researchers, the malware is delivered in a currently active SMS campaign and masqueraded as a banking rewards app. The campaign’s primary targets are Indian bank customers. It starts with threat actors sending out messages containing a URL that basically lures the recipient into downloading the malware.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

The infection chain starts with an SMS message requesting the recipient to claim a reward from an Indian bank. This message contains a malicious link redirecting the user to downloading a fake banking rewards application. This app is detected as: “TrojanSpy:AndroidOS/Banker.O”

The app’s C2 server is linked to 75 different malicious APKs, all of which are based on open-source intelligence. The research team identified many other campaigns targeting Indian bank customers, including:

*   Icici\_points.apk
*   Icici\_rewards.apk
*   SBI\_rewards.apk
*   Axisbank\_rewards.apk

Their research revolved around icici\_rewards.apk, represented as ICICI Rewards. The malicious link inside the SMS message installs the APK on the recipient’s mobile device. After installation, a splash screen displaying the bank logo asks the user to enable specific permissions for the app.

Fake bank SMS with a malicious link – Malicious app asking for permission – Malicious app asking for user data

**Malware Analysis**

According to Microsoft’s blog post, what makes this new version different is the inclusion of additional RAT (remote access trojan) capabilities. Moreover, this malware is highly obfuscated. Its RAT capabilities allow attackers to intercept critical device notifications, for instance, incoming messages, and also try to capture 2FA messages that the user needs to access banking/financial apps.

The malware can steal all SMS messages and other data, such as OTP (one-time-password) PII (personally identifiable information), to help steal sensitive information for email accounts.

The malware runs in the background, using MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid features to carry out its routines and ensures these keep running to maintain persistence on the mobile device.

The MainActivity (launcher activity) is launched first to display the splash screen and then calls OnCreate() method for checking the device’s internet connection. It also records the malware installation timestamp. Permission\_Activity launched permission requests and later called AutoStartService, the malware’s main handler, and login\_kotak.

SMS campaign attack flow

> This malware’s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe.
> 
> Microsoft 365 Defender Research Team

To mitigate the threat, Android device users should disable the Unknown Sources option to prevent app installation from unverified sources. And they must rely on credible mobile security solutions to detect malicious apps.

1.  SpyNote Trojan (RAT); Yet Another Bad News for Android Users
2.  BRATA Android malware factory resets phones after stealing funds
3.  New MaliBot Android Malware Found Stealing Personal, Banking Data
4.  Fake Netflix, WhatsApp, Facebook Android Apps Contain SpyNote RAT
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Fake Banking Rewards Apps Install Info-stealing RAT on Android Phones

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years.
The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management.
The shortcoming,

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years.

The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management.

The shortcoming, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write.

"The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply upon opening the file.

Put simply, a threat actor can exploit the weakness by uploading a malicious tarfile in a manner that makes it possible to escape the directory that a file is intended to be extracted to and achieve code execution, allowing the adversary to potentially seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The vulnerability is also reminiscent of a recently disclosed vulnerability in RARlab's UnRAR utility (CVE-2022-30333) that could lead to remote code execution.

Trellix has further released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, using it to uncover the vulnerability in the Spyder Python IDE as well as Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.

A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.

In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.

"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."

The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.

**Not the First Tine Smart Links Feature Has Been Abused**

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.

LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.

It also gives attackers a convenient — and very credible — way to redirect users to malicious sites. 

"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."

**Leveraging Legitimate Services**

The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.

Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.

It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.

"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.

Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

CVE-2022-38073: Awesome Support – WordPress HelpDesk & Support Plugin

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance

Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.

Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry\-level attack is just over the horizon.

The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.

By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.

**Devices Hold the Keys to the Kingdom — and They're Everywhere**

In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.

But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.

Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.

**Mobile Ransomware Would Have a Double Impact**

The risks of mobile ransomware essentially exist on two fronts.

*   **Mobile devices as a delivery mechanism for ransomware:** The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
*   **Actual mobile ransomware:** Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.

A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.

The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.

**The Time to Focus on Security Is Now**

A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.

Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.

Don't Wait for a Mobile WannaCry

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Application Monitoring & Protection
        
        TCELL
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   Research
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Application Monitoring & Protection
        
        TCELL
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   Research

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

Tag

#intel