ARTICLE
14 November 2024

Ankura CTIX FLASH Update - November 12, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
A malicious Python package named "fabrice" has been discovered by security researchers in the Python Package Index (PyPI). Fabrice has been available for download since 2021 and is likely a typosquat of the very popular.
United States Technology

Malware Activity

Malicious "Fabrice" PyPI Package with 37,000 Downloads Steals AWS Keys

A malicious Python package named "fabrice" has been discovered by security researchers in the Python Package Index (PyPI). Fabrice has been available for download since 2021 and is likely a typosquat of the very popular and legitimate SSH remote server management package "fabric". It is possible that fabrice was not flagged by the community earlier because advanced scanning tools were available only after its initial submission to PyPI. The malicious package had been downloaded over 37,000 times, and contains code scripted to steal AWS credentials using boto3, the official Python SDK for AWS. Once a boto3 session is initialized, the malicious package collects the AWS credentials associated with the session and exfiltrates the data to a VPN server. Fabrice can operate on both Windows and Linux systems. On Linux systems, it sets up a hidden directory at '~/.local/bin/vscode' to store encoded shell scripts that are responsible for executing commands. On Windows, fabrice downloads a VBScript that launches a Python script (d.py) that drops a malicious executable ('chrome.exe') into a user's Downloads folder. The executable schedules a Windows task to execute every fifteen (15) minutes, maintaining persistence across reboots. CTIX analysts recommend that individuals and organizations check their systems to ensure the package has not been downloaded. CTIX analysts also recommend that organizations employ AWS Identity and Access Management to limit how AWS resources can be used. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Scattered Spider and BlackCat/ALPHV Showcase the Difficulties in Cybercrime Disruption

Scattered Spider and BlackCat/ALPHV, notorious for major cyber heists, have resurfaced with new intrusions and possible rebranding over the last few months. Despite arrests of key members in January and June of this year, Scattered Spider, part of a larger cybercriminal community known as "The Com," continues to target organizations using social engineering, as seen in a recent attack on a manufacturing firm earlier in October 2024. This attack involved help desk manipulation, rapid system encryption, and a ransom demand via Microsoft Teams. The group has also switched to using RansomHub malware, diverging from previous affiliations with BlackCat/ALPHV, and is employing new tactics like advanced defensive evasion and novel Microsoft Teams methods. The resurgence highlights the decentralized nature of these cybercriminal groups, making law enforcement disruptions challenging. Scattered Spider's operations focus on credential theft and system infiltration through legitimate means, emphasizing the need for stringent help desk policies and technical controls. Meanwhile, BlackCat's dark web presence was dismantled by an FBI operation in December 2023, but its affiliates have been linked to Cicada3301 ransomware, sharing significant similarities in attack techniques including ransomware written in Rust. Cicada3301 has targeted companies in the US and UK, using tactics akin to BlackCat, such as inhibiting system recovery and embedding PsExec executables. The reemergence of these groups underscores the persistent threat posed by ransomware operators, facilitated by cryptocurrency's anonymity and geopolitical factors. CTIX analysts urge companies to enhance their cybersecurity posture by investing in robust email filtering, user training, endpoint security, and network monitoring.

Vulnerabilities

Critical Vulnerabilities Found in Open-Source Machine Learning Projects

Cybersecurity researchers have identified nearly two dozen security vulnerabilities across fifteen (15) machine learning (ML) open-source projects, posing significant risks to organizations. According to JFrog, these flaws affect both server- and client-side components, allowing attackers to compromise critical systems like ML model registries, databases, and pipelines. Notable vulnerabilities include directory traversal in Weave, tracked as CVE-2024-7340, enabling privilege escalation, a command injection vulnerability in Deep Lake, tracked as CVE-2024-6507, and a privilege mismanagement in Mage AI, tracked as CVE-2024-45187. Some issues, such as improper access control in ZenML, lack CVE identifiers but remain just as severe. Exploiting these flaws could enable ML model backdooring, data poisoning, and unauthorized system access. This disclosure follows JFrog's earlier report on more than twenty (20) vulnerabilities in MLOps platforms and introducing Mantis, a defensive framework leveraging prompt injection to neutralize attacks on large language models (LLMs) with over 95% effectiveness. Mantis uses decoy services and dynamic prompt injections to autonomously disrupt or hack back attackers, highlighting the escalating cyber threats to ML systems. Administrators responsible for maintaining these projects should read the full report for more information and be on the lookout for patches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More