Mar 25 2024

170K+ Python Developers GitHub Accounts Hacked In Supply Chain Attack

Category: Cyber Attack,Hacking,Pythondisc7 @ 8:38 am
170K+ Python Developers GitHub Accounts Hacked in Supply Chain Attack

Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.

The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.

This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.

Attack Campaign Description

The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.

By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.

Python mirror -files.pythonhosted.org

The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.

Victims And Impact

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

The Top.gg community (which boasts over 170K members) was also a victim of this attack
The Top.gg community (which boasts over 170K members) was also a victim of  this attack

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs

The threat actors behind this campaign demonstrated high sophistication and planning.

They employed a range of TTPs, including:

  • Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
  • Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
  • Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.

“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.

Malicious Package

The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.

The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.

This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.

The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.

Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.

Python for Cybersecurity: Using Python for Cyber Offense and Defense 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attack

Sep 25 2023

MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected

Category: Cyber Attack,Information Securitydisc7 @ 2:18 pm

https://therecord.media/moveit-fallout-continues-nsc-schools

The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.

The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.

In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.

Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.

In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.

The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.

The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.

NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.

“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”

The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.

Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”

“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.

“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”

North of the border

UnitedHealthcare Student Resources Notifies Individuals of Data Security Incident

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, supply chain attack