Earlier this year in June, a security researcher from security firm Sonatype uncovered six malicious payloads in the official Python programming language’s PyPI repository that were laced with cryptomining malware.
The attackers used typo-squatted names for the malicious payloads that were downloaded more than 5000 times. All the packages were posted on PyPI by the author “nedog123,” some as early as April of this year. Attackers used typosquats to trick people into thinking they were normal programs and hide their main purpose of hijacking developer systems for cryptomining.
The PyPI event is complex because it combines three different kinds of attacks: logic bombs, cryptojacking, and software supply chain attacks. The risk posed by these kinds of attacks requires immediate action from organizations if they want to shield their database.
Logic Bomb Attacks
A logic bomb also known as ‘code bomb’, cyber bomb, or slag code is a malicious piece of code that gets executed under specific conditions, usually with a malicious purpose.
One challenge with logic bomb attacks is that they are sneaky in nature and can go undetected for long periods of time.
All the logic bomb attacks vary in form and function from one another which help malicious actors to install logic bombs that victim can’t easily detect.
The logic bomb attacks are used for various purposes like stealing data, deleting or corrupting data, locking systems, or launching cryptomining processes.
Cryptojacking
Cryptojacking, the illicit hijacking of computers, smartphones, or even servers to mine cryptocurrency. Attackers can steal huge bandwidth and compute energy, and, in the end, financial resources as it works to solve the equations needed for mining currency. In fact, the high resource demand — the high cost of cryptomining — is exactly why attackers are stealing it with cryptomining malware. Threat actors use crypto-malware because its behavior is hard to predict. In addition, it’s a foot in the door for other kinds of payloads and breaches.
Software supply chain attack
Software supply chain attack, the most common method to target organizations by adding malicious code in third-party software with the aim of compromising applications that use that software. According to the State of the Software Supply Chain report, supply chain attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year.
“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted.
How to mitigate the risks
Organizations are advised to follow the steps mentioned below to protect their database:
• Use trusted antivirus software
• Perform regular OS updates
• Avoid downloading apps from untrusted sources
• Use red team tests to learn how supply chain attacks could play out within your organization and figure out how to best respond
• Blacklist mining sites, pirate software sites, and other sites are likely to lead to shady downloads
• Disable JavaScript, if feasible
• Train employees on basic digital safety awareness and practices.