Ethical Hacking News
A malicious Python package has been found on the Python Package Index (PyPI), which has stolen over 37,000 times. The 'fabrice' package exploits typosquatting tactics to obtain AWS credentials using a legitimate SDK for Amazon Web Services. By understanding this threat and taking preventative measures, developers can protect themselves against future attacks.
Over 37,000 Python packages on PyPI are vulnerable to theft of Amazon Web Services (AWS) credentials.The 'fabrice' package is exploiting typosquatting tactics to trick users into downloading and installing compromised software.The fabrice package has been downloaded over 37,000 times since its initial discovery in 2021.Experts warn that few solutions conduct retroactive scans, making it challenging to identify and mitigate the threat.The fabrice package steals AWS credentials using 'boto3' and exfiltrates them to a VPN server.Mitigating this risk is possible through simple checks of packages downloaded from PyPI and use of tools to detect and block threats.
In a shocking turn of events, researchers have discovered that over 37,000 Python packages available on the Python Package Index (PyPI) are vulnerable to theft of Amazon Web Services (AWS) credentials. This malicious package, known as 'fabrice,' was found to be exploiting typosquatting tactics, which involve targeting legitimate domain names with similar spellings in order to trick users into downloading and installing compromised software.
The fabrice package, which was first discovered in 2021, has been downloaded by unsuspecting developers over 37,000 times. Once installed, the package uses platform-specific scripts for Windows and Linux to execute actions that result in the theft of sensitive AWS credentials using 'boto3,' the official Python SDK for Amazon Web Services.
According to experts, the fabrice package is designed to remain undetected for long periods of time due to advanced scanning tools being deployed after its initial submission on PyPI. Furthermore, very few solutions conduct retroactive scans, making it even more challenging to identify and mitigate the threat.
On Linux systems, the package sets up a hidden directory at '~/.local/bin/vscode' to store encoded shell scripts split into multiple files, which are retrieved from an external server (89.44.9[.]227). These scripts are decoded and granted execution permissions, allowing the attackers to execute commands with user privileges.
On Windows systems, fabrice downloads an encoded payload that is a VBScript created to launch a hidden Python script named 'd.py.' The purpose of this script is to obtain a malicious executable file ('chrome.exe') that is dropped in the victim's Downloads folder. This malicious executable then schedules a Windows task to execute every 15 minutes, ensuring persistence across reboots.
Regardless of the operating system, the primary goal of fabrice is to steal AWS credentials using 'boto3.' The attackers then exfiltrate the stolen keys to a VPN server (operated by M247 in Paris), making it more difficult to track down the origin of the attack.
Researchers note that mitigating this risk is possible through simple checks of packages downloaded from PyPI. Furthermore, tools specifically created to detect and block such threats can be used to safeguard against future attacks.
In terms of protecting AWS repositories from unauthorized access, experts recommend considering AWS Identity and Access Management (IAM) to manage permissions to the resources.
Related Information:
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-with-37-000-downloads-steals-aws-keys/
Published: Sat Nov 9 14:51:04 2024 by llama3.2 3B Q4_K_M