Security News

A group of cryptominers was found to have infiltrated the Python Package Index, which is a repository of software code created in the Python programming language. It offers a place where coders can upload software packages for use by developers in building various applications, services and other projects.

New upgrades have been made to a Python-based "Self-replicating, polymorphic bot" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," researchers from Cisco Talos said in a deep-dive published today.

The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the "Netmask" library earlier this year. The researchers who had discovered the critical flaw in netmask, also discovered the same flaw in this Python module and have procured a vulnerability identifier: CVE-2021-29921.

If you suddenly realise you want to use Python module called asteroid, for example, you can just do pip install asteroid, after which your own Python programs can say import asteroid, and start making use of the package. A third sort of supply chain attack - one that is rather less sophisticated and has no guarantee of success, yet is extremely easy to pull off - is to create a fake package with a misleading name that users in a hurry might download and install by mistake.

"I do believe that Python just doesn't have the right priorities these days," said Armin Ronacher, director of engineering at software monitoring biz Sentry and creator of Flask, the popular Python web app framework, in an email interview with The Register. The shortcomings of Python's software packaging tools - the software used to set up Python environments and to download, install, and manage libraries - have been an issue for years.

"I do believe that Python just doesn't have the right priorities these days," said Armin Ronacher, director of engineering at software monitoring biz Sentry and creator of Flask, the popular Python web app framework, in an email interview with The Register. The shortcomings of Python's software packaging tools - the software used to set up Python environments and to download, install, and manage libraries - have been an issue for years.

Dubbed PyVil, the new remote access trojan goes after passwords, documents, browser cookies, and email credentials, says Cybereason. A new remote access trojan is aiming at financial technology companies in the UK and European Union to capture sensitive information through keylogging and screen captures.
Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities-which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. Two of the four flaws can be exploited to gain remote code execution on target systems by sending specially crafted chat messages in group conversations or specific individuals.

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools.

The malware's emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne. The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations as a lure.