A significant security breach has impacted both Telegram and AWS users, raising concerns about data security and privacy.
A significant security breach has impacted both Telegram and AWS users, causing concerns about data security and privacy. Checkmarx, a cybersecurity firm, attributed the discovery of this breach to a mysterious threat actor named “kohlersbtuh15.” This actor employed tactics like typosquatting and starjacking within the Python programming software repository, Pypi.
In the first case, a cybercriminal attempts to deceive a target by altering a single character in a link to mimic a legitimate domain name, effectively disguising the attack. In the second scenario, the attacker links a malicious package to an unrelated benign one for similar purposes.
Instead of adhering to the conventional strategy of embedding malicious code within the setup files of Python packages, this attacker adopted a unique approach. They concealed malicious scripts deep within the package, specifically within certain functions, ensuring that the malicious code would only execute when a particular function called during regular use.
This method not only conceals the code but also targets specific operations or functionalities, making the attack more effective and harder to detect. Checkmarx also pointed out that many security tools scan for automatically executable malicious scripts, and embedding the code within functions increases the likelihood of evading detection.
Furthermore, the attacker employed a tactic to make poisoned packages on Pypi appear popular, employing a psychological trick to encourage victims to click on them, luring them with a false sense of confidence. Starjacking and typosquatting are popular methods used by attackers to increase the likelihood of their attacks succeeding, enhancing the package’s credibility by emphasizing its popularity.
Falling for these tricks carries the risk of compromising networks once malware packages introduce into the code, with potential cascading effects further down the line. In the best-case scenario, your network may infect high-privileged developer accounts. In less fortunate cases, compromised software releases could expose your customers to risk.