Developers targeted by poisoned Python library
An instance of the domain expiration routine triggered a chain of events that could potentially put hundreds of businesses at risk of a massive data breach through a forgotten Python code library.
SANS Institute researcher Yee Ching Tok exposed the chain of events that led to the “ctx Python” library being seeded with code that sought to steal AWS secret keys from anyone who included it in their projects. .
The malicious code has since been removed and developers are advised to verify that they are not running the library.
According to a SANS Internet Storm Center blog post By Tok published on Tuesday, the poisoned code was a supply chain attack caused by the theft of ctx Python developer’s pypi.org account that resulted from the expiration of an unused domain.
The attack began when users noticed that the Python library, which had not been updated since December 2014, was unexpectedly updated on May 21.
Suspecting that something was wrong, the researchers began to examine the code and verify what exactly had changed in the Python ctx library. What Tok eventually discovered was a snippet of code that searched the host machine for AWS secret keys.
This is especially dangerous for developers, who will regularly have administrator access to AWS databases containing sensitive company information. In this case, a developer could expose their secret keys without even directly accessing the changed code and seeing an update.
“Many of these packages can be installed and updated by the well-known ‘pip install’ command,” Tok explained. “However, many developers may take the update and installation process for granted and neglect to check what may have changed in the packages.”
After some research, Tok was able to trace the attack to a seemingly unlikely source: an expired domain. The researcher found that between 2014 and May this year, the developer who originally created ctx Python lost control of the domain he used to register his GitHub account.
Since the domain expired, it appears the attacker was able to take control of the domain, establish the email account, and use it to reset the developer’s GitHub password.
From there, the attacker was able to access the developer’s original projects and slip malicious code snippets into multiple projects. In addition to Python ctx, the attacker put bad code in a PHP code project called “phpass”.
Security software provider Sonatype has released a blog post Thursday on the compromises of the ctx Python and phpass libraries. “The GitHub repository of ‘phpass’ we saw shows commits from 5 days ago that contain the same endpoint, as seen in compromised ‘ctx’ versions, indicating that the attacks are related”, indicates the message.
The poisoned code is another example of a supply chain attack carried out using a compromised open source library. Cybercriminals are increasingly seeking to infiltrate the networks of several companies by infiltrating the developers who supply their software.
One of the best ways to do this is to target open source libraries and repositories that developers rely on when building their software. Therefore, the job of securing corporate networks and data falls not only to IT and security personnel, but also to coders.
“With such an event, it would be good for the developers to take a close look at the packages that one uses for coding and check that there are no additional features hiding in the packages,” Tok said. “It also highlights the importance of regularly checking source code, libraries and packages for irregularities, having a secure infrastructure for software development and proper configuration management.”