Monday, February 6, 2023
  • Advertise With Us
  • Write For Us
  • Contact Us
  • About Us
  • Editorial Calendar
Download Latest Issue - Free!
The Cyber Express
Ransomware Report
  • Magazine
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacks
    • Ransomware
    • Vulnerabilities
    Voice Networks

    Voice Networks are Under Attack – is Anybody Listening?

    Anonymous Sudan Declares War on American Corporate Giants with Devastating DDoS Onslaughts

    Dominic Alvieri

    After Hive, Will More Ransomware Groups be Taken Down in 2023?

    McEwan Fraser Legal

    ALPHV Ransomware Hits UK Realty Firm McEwan Fraser Legal, 300GB Data On The Line

    Kewal Kiran

    Indian Apparel Manufacturer Kewal Kiran Clothing’s Data Out For Sale

    BATLoader

    Stealthy BATLoader Lurks Under PowerShell Script to Evade Detection and Launch Malware

    Guardian Analytics Data Leak

    Guardian Analytics Data Leak: Ransomware Groups Daixin Team and Lockbit List Firm as Victim

    VectorStealer

    VectorStealer, Unlocking Doors to RDP Hijacking

    Qakbot Malware

    Spammers Deploy Information Stealing Qakbot Malware in OneNote Attachment

  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    TRAI

    TRAI Asked to Involve MoD in Drafting Big Data Regulations & Policies

    cybersecurity

    Cybersecurity incidents may soon be ‘uninsurable’

    Australia

    Australia Ropes in Tech Veterans to Set Up Cyber Action Plan

    Active Directory

    Prevent Ransomware: Save the Active Directory

    Privacy Penalty Bill

    Privacy Penalty Bill: Australian Parliament Approves Heavy Fines

    Zero Trust Strategy

    US Department of Defense to Embrace Zero Trust Strategy

    browser hijackers

    Researchers Find Browser Hijackers on Google Chrome Web Store

    DORA proposal

    DORA Proposal for Cybersecurity Awaits Full Approval by Council and ESAs

    Privacy penalty bill

    Australia Privacy Penalty Bill 2022: Pay a $50 Million Fine for Data Breaches

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business News
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Webinars
    • World CyberCon Middle East 2023
    • Endorsed Events
  • Advertise
No Result
View All Result
The Cyber Express
  • Magazine
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacks
    • Ransomware
    • Vulnerabilities
    Voice Networks

    Voice Networks are Under Attack – is Anybody Listening?

    Anonymous Sudan Declares War on American Corporate Giants with Devastating DDoS Onslaughts

    Dominic Alvieri

    After Hive, Will More Ransomware Groups be Taken Down in 2023?

    McEwan Fraser Legal

    ALPHV Ransomware Hits UK Realty Firm McEwan Fraser Legal, 300GB Data On The Line

    Kewal Kiran

    Indian Apparel Manufacturer Kewal Kiran Clothing’s Data Out For Sale

    BATLoader

    Stealthy BATLoader Lurks Under PowerShell Script to Evade Detection and Launch Malware

    Guardian Analytics Data Leak

    Guardian Analytics Data Leak: Ransomware Groups Daixin Team and Lockbit List Firm as Victim

    VectorStealer

    VectorStealer, Unlocking Doors to RDP Hijacking

    Qakbot Malware

    Spammers Deploy Information Stealing Qakbot Malware in OneNote Attachment

  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    TRAI

    TRAI Asked to Involve MoD in Drafting Big Data Regulations & Policies

    cybersecurity

    Cybersecurity incidents may soon be ‘uninsurable’

    Australia

    Australia Ropes in Tech Veterans to Set Up Cyber Action Plan

    Active Directory

    Prevent Ransomware: Save the Active Directory

    Privacy Penalty Bill

    Privacy Penalty Bill: Australian Parliament Approves Heavy Fines

    Zero Trust Strategy

    US Department of Defense to Embrace Zero Trust Strategy

    browser hijackers

    Researchers Find Browser Hijackers on Google Chrome Web Store

    DORA proposal

    DORA Proposal for Cybersecurity Awaits Full Approval by Council and ESAs

    Privacy penalty bill

    Australia Privacy Penalty Bill 2022: Pay a $50 Million Fine for Data Breaches

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business News
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Webinars
    • World CyberCon Middle East 2023
    • Endorsed Events
  • Advertise
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Firewall Daily

Researchers Spot Supply Chain Attack Using Identical PyPI Packages

Researchers at the Fortiguard Labs team have discovered a zero-day attack embedded in three PyPI packages

Editorial by Editorial
January 16, 2023
in Firewall Daily, Vulnerabilities
0
Supply Chain Attack
612
SHARES
3.4k
VIEWS
Share on LinkedInShare on Twitter

Researchers found a new zero-day attack embedded in three PyPI packages.

Researchers at the Fortiguard Labs team have discovered a zero-day attack by monitoring an open-source ecosystem. The attack was embedded in three PyPI packages named colorslib, libhttps, and httpslib that were published by an author called Lolip0p. The author joined the repository adjusting with the publishing date of the attack PyPI packages.

You might also like

Hollywood and its Quest with Nailing Hacking Depictions

Internet Censorship and Freedom of Speech

Voice Networks are Under Attack – is Anybody Listening?

The supply chain attack using PyPI packages colorslib and httpslib were posted on January 7 and used the project description to their advantage to look legitimate. It mentioned features of colorslib such as being able to handle colors, generate boxes, manipulate test alignment, etc. And described it as, “A library designed for making working with terminal user interfaces easier.”

Screenshot with the project description of httpslib

libhttps 4.6.12 came with specific features that ‘Lolip0p’ noted that included, thread safety, connection pooling, helpers for retrying requests and dealing with HTTP redirects, and so on. The convincing description for it read that it is a powerful HTTP client for Python. It said that the Python ecosystem already uses urllib3 and others should also use it.

The versions of all these PyPI packages were found to be malicious and shared a similar script, setup.py. The download URL despite being undetected by several researchers, showed as a malicious executable by some vendors.

Understanding the supply chain attack

For this attack using identical pypi packages in python the Powershell URL was https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0

And its VirusTotal entry showed that it had the binary exe (SHA 256) as 8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b

Upon running the code update.exe, several files are saved in the %USER%\AppData\Local\Temp\onefile_%PID_%TIME%’ folder as shown below:

Supply Chain Attack
(Source: Fortinet)

The malicious executables were:

  1. Oxzy.exe: Malicious_Behavior.SB
  2. update.exe: PossibleThreat.PALLASNET.H
  3. SearchProtocolHost.exe: Malicious_Behavior.SB

The indicators of compromise

  1. Oxzy.exe

            8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b

  1. update.exe

            293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757

  1. SearchProtocolHost.exe

            123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638

  1. Malicious URLs

https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy%5B.%5Dexe?dl=0

The same author posted separate Python packages with the same code for this supply chain attack. One of the files researchers pointed out was detected as malicious by several vendors. It was (SHA256): 123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638.

Even though the malicious URLs were blocked by Fortinet, researchers urged users to be cautious in running codes that are authored by relatively newer users despite displaying a product description that looks legitimate. They also clarified that it does not make an author more reliable if they publish more than one package within a short span of time.

Share this:

  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • More
  • Click to email a link to a friend (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

Related

Tags: Fortinet 0-day attackFortinet PyPI packagesFortinet supply chain attackPyPi Packagessupply chain attack in cyber securityThe Cyber ExpressThe Cyber Express News
Previous Post

Biometric Security Vital in Post-Quantum Future

Next Post

After Royal Mail, LockBit Claims UK Logistics Business Fulfilment Matters

Editorial

Editorial

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.

Related Posts

Hacking depiction in hollywood
Features

Hollywood and its Quest with Nailing Hacking Depictions

by Editorial
February 5, 2023
Internet Censorship and Freedom of Speech
Features

Internet Censorship and Freedom of Speech

by Editorial
February 5, 2023
Voice Networks
Features

Voice Networks are Under Attack – is Anybody Listening?

by Editorial
February 4, 2023
Firewall Daily

Anonymous Sudan Declares War on American Corporate Giants with Devastating DDoS Onslaughts

by Ashish Khaitan
February 4, 2023
Dominic Alvieri
Firewall Daily

After Hive, Will More Ransomware Groups be Taken Down in 2023?

by Vishwa Pandagle
February 4, 2023
Next Post
Fulfilment Matters

After Royal Mail, LockBit Claims UK Logistics Business Fulfilment Matters

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Issue is Out. Subscribe Now

Ai in Cybersecurity - Cybersecurity Magazine by The Cyber Express

Download Now



Follow Us On Google News

Never miss an update. Subscribe!

* indicates required

Recommended

Anonymous Sudan Declares War on American Corporate Giants with Devastating DDoS Onslaughts

February 4, 2023
GoTo Confirms User Data Stolen With Encryption Key

GoTo Confirms User Data Stolen With Encryption Key

January 27, 2023

Categories

Don't miss it

Voice Networks
Features

Voice Networks are Under Attack – is Anybody Listening?

February 4, 2023
Firewall Daily

Anonymous Sudan Declares War on American Corporate Giants with Devastating DDoS Onslaughts

February 4, 2023
LockBit. Ion Group
Cybersecurity News

LockBit Claims Ransom From ION Group, Firm Declines To Comment

February 4, 2023
Dominic Alvieri
Firewall Daily

After Hive, Will More Ransomware Groups be Taken Down in 2023?

February 4, 2023
McEwan Fraser Legal
Data Breach News

ALPHV Ransomware Hits UK Realty Firm McEwan Fraser Legal, 300GB Data On The Line

February 3, 2023
Kewal Kiran
Firewall Daily

Indian Apparel Manufacturer Kewal Kiran Clothing’s Data Out For Sale

February 3, 2023

About

The Cyber Express

Cybersecurity News and Magazine

The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

Follow The Cyber Express

Contact

For editorial queries: [email protected]

For marketing, PR & media partnerships: [email protected]

For media kit and digitals sales: [email protected]

For Sponsorship/Event Partnership: [email protected]

For Conferences related information: [email protected]

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
555 North Point Center E
Alpharetta, GA 30022, USA.

Tel: (678) 578-8838

Subscribe to Our Feed

RSS Feeds

Follow Us On Google News

© 2022 The Cyber Express (Cybersecurity News and Magazine) | By Cyble Inc.

No Result
View All Result
  • Firewall Daily
  • Business News
  • Cyber Essentials
  • Features
  • Cybersecurity Magazine
  • Events
    • World CyberCon Middle East 2023
    • Webinars

© 2022 The Cyber Express (Cybersecurity News and Magazine) | By Cyble Inc.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.