ReversingLabs researchers identify novel attack on PyPI

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: ReversingLabs researchers identified a novel attack on PyPI using compiled Python code to evade detection. Also: Why the duo of behaviors and differentials matters for software supply chain security. 

This Week’s Top Story

ReversingLabs researchers identify novel attack on PyPI

This past week, ReversingLabs Reverse Engineer Karlo Zanki shared a new blog post detailing the research team’s identification of a novel attack on the PyPI platform that uses compiled Python code to evade detection. 

The package, fshec2, was reported to the PyPI security team on Apr 19, 2023, and was removed from the platform on that same day. What makes fshec2 unique is that it does not rely on the popular obfuscation technique, used in other attacks on PyPI, to plant malicious behaviors, but rather “places the malicious functionality into a single file containing compiled Python byte code,” said Zanki. 

Zanki and other researchers were able to detect the malicious package using ReversingLabs’ Software Supply Chain Security platform, which traditional application security tools would be unable to detect. The platform extracted a set of suspicious behaviors from the package’s compiled binary. These behaviors included the presence of URLs that reference the host by IP address, as well as the creation of a process and execution of a file. It’s also configured to collect usernames, hostnames, and directory listings.

According to Ashlee Benge, Director of Threat Intelligence Advocacy at ReversingLabs: “This behavior is a bit more sophisticated, and it shows that the attackers are evolving and paying attention to the better detections that are being rolled out (…) we're probably going to continue to see this kind of attack increase in the future." 

Head to the ReversingLabs blog to see more of our original threat research. 

Other News: 

Universal 2FA implemented for PyPI project maintainers

All Python Package Index project maintainers have been required to adopt two-factor authentication by the end of the year in a bid to better prevent account takeover attacks, reports SecurityWeek. Implementation of 2FA could be performed through an authenticator app or security device, as well as the utilization of API tokens or trusted publishing when conducting PyPI uploads. (SC Magazine)

How to Protect Containerized Workloads at Runtime

The shift left approach might only cover the build and deploy phases, for example, but not apply enough security focus to another critical phase for today’s workloads: runtime.

Runtime security “is about securing the environment in which an application is running and the application itself when the code is being executed,” said Yugal Joshi, partner at the technology research firm Everest Group. (The New Stack)

Our guide to secure coding practices for developers

The increase in API usage has led to a surge in API attacks, with outdated and abandoned APIs posing a significant security threat. Organizations are struggling to manage the large number of APIs they have, and the Salt Labs State of API Security report highlights a 400% increase in unique attackers.

API breaches can occur due to poor coding practices or business logic vulnerabilities. API security risks have become a concern at the C-level, and implementing API-specific security measures and adopting a zero trust approach can help mitigate these risks. (Security Boulevard)

Cloud Drift Detection With Policy-as-Code

Cloud configurations can change and change often. Introducing new technologies, releasing new features and supporting new business requirements entail a constant flow of configuration changes in web application development.

However, drift occurs regardless of how well-designed your IaC implementation is. The term “drift” is used to denote a state in which the actual state of your infrastructure deviates from the configuration.

This article examines cloud drift detection, why it occurs and how to remediate it. (DevOps.com)

Resource Round Up

Video: Behaviors and Diffs: Better Together for Software Supply Chain Security

In this episode, Matt Rose explains how software supply chain security is better with the wonder duo of behavior and differential analysis. [Watch Now]

Podcast: Chris Romeo on The State of Application Security

In this episode, Host Paul Roberts interviews Chris Romeo, CEO of Kerr Ventures and long-time application security (app sec) practitioner, on the sidelines of RSA Conference 2023. Romeo gives a rundown on the state of app sec and comments on other software threats posed to organizations today. [Listen In]

Webinar: Deconstructing UPS Ship Manager Software Package for File Rot and Risk Detection

In this episode, Tim will show the real world risk of expired code signing certificates in a software package.  Learn how to detect, investigate and assess file rot from both a software production and TPRM use case. [Register Now]