The Week in Security: PyPI hit by ‘Lolip0p’ info-stealing attack, ransomware targets ship fleet

This week: A new software supply chain attack has been discovered on PyPI. Also: A ransomware attack on ship management software affects 1,000 vessels.

This Week’s Top Story

Supply chain attacks just won’t quit: ‘Lolip0p’ info-stealing malware campaign targets PyPI

The Python Package Index (PyPI) is one of the most popular open source code repositories, and is the most popular repository for Python packages specifically. Being a widely used platform by software developers globally, attackers have been continuing to use it as a successful software supply chain attack vector.

Fortinet discovered a recent attack on the platform, in which a single user dubbed ‘Lolip0p’ uploaded three malicious packages meant to drop info-stealing malware on impacted systems. The packages were uploaded between January 7 and 12, 2023, and since being reported have been taken down by PyPI. The attackers took an extra step by adding complete features descriptions to the packages, in hopes of tricking developers into downloading these trustworthy-looking, yet malicious packages.

BleepingComputer found that the three packages were downloaded over 500 times combined before being removed from PyPI, making the impact on relevant software supply chains significant. Each package contains the ‘setup.py’ file that attempts to run PowerShell, which then fetches an executable from a suspicious URL, named ‘Oxyz.exe.’ This malware then steals browser information from the impacted system. The detection rates for the packages range from 4.5-13.5%, showing that there is a high chance these malicious packages can evade detection from a victim’s security agents.

PyPI unfortunately does not have the bandwidth to manage every upload to its platform, making it easier for attackers to upload malicious packages. This is why user reports such as Fortinet’s discovery of the Lolip0p packages are vital to the security management of the platform.

Within the past six months, researchers at ReversingLabs have discovered several attacks on PyPI as well, each different from one another regarding attack method and motivation. In August 2022, it was found that two nearly identical PyPI packages downloaded the Parallax RAT executable. Back in December, researchers also found 10 additional PyPI packages as part of the previously discovered W4SP stealer malware campaign. Also in that same month, a PyPI-based software supply chain attack was discovered in which a malicious module posed as a legitimate software development kit (SDK).

Attackers have been having a field day with open source software repositories such as PyPI, and the recent ‘Lolip0p’ attack demonstrates that this threat will continue to cause problems in 2023.

News Roundup

Here are the stories we’re paying attention to this week…

Ransomware attack on DNV ship management software impacts 1000 vessels (Security Week)

Norway‎-based industrial risk management and assurance solutions provider DNV said a recent ransomware attack on its ship management software affected 1,000 vessels.

Iranian government entities under attack by new wave of BackdoorDiplomacy attacks (The Hacker News)

The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42 said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary.

Why businesses need to think like hackers this year (DarkReading)

"Security professionals must update their skill sets and be proactive to stay ahead of cybercriminals. It's time to learn to think and act like an attacker to cope with the cyber 'new normal.'"

Hackers turn to Google search ads to push info-stealing malware (BleepingComputer)

Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.

Git users urged to update software to prevent remote code execution attacks (The Hacker News)

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution.