Researchers use PyInstaller to create stealth malware

Stay informed about the latest enterprise technology news and product updates.

Academic researchers say the application builder could be used to create undetectable attack bundles that bypass many widely used antimalware programs.

A popular Python developer tool could also become a potent malware accessory, according to new research.

A group of researchers from the University of Piraeus in Greece said that PyInstaller, a tool intended to convert Python code into standalone applications, is capable of creating malware payloads that are able to slip past many of the most widely used antivirus programs and get their malicious code up and running before being flagged and terminated.

This means that, rather than spend the extensive time and money required to obfuscate code and create an untraceable malware packer from scratch, cybercriminals would be able to take advantage of the most popular Python application builder to create packers that are not caught in scans.

“Interestingly, our approach to generating the malicious executables is not based on introducing a new packer but on the augmentation of the capabilities of an existing and widely used tool for packaging Python, PyInstaller but can be used for all similar packaging tools,” wrote Vasilios Koutsokostas and Constantinos Patsakis in the research paper, which was published this week. “As we prove, the problem is deeper and inherent in almost all antivirus engines and not PyInstaller specific.”

Patsakis told SearchSecurity that the team went into the research knowing that antivirus engines already have a problem properly handling Python applications. In many cases, apps based on Python produce false positives. The extent of the issue, however, was never really understood.

“From the very beginning we knew that something quite wrong was happening as all applications were flagged as malicious,” Patsakis explained. “This kind of bias implies that AVs were not scanning the packages that PyInstaller produces properly, but due to the wide use of Python, we did not expect the reason being the Python bytecode.”

The issue lies in how PyInstaller turns Python code into executables. Because Python is a scripting language, PyInstaller does not compile the code in the traditional sense. Rather, it bundles all the libraries and other components the Python code requires into .pyc files and compressed archives. When the bundled application is launched, a bootloader is spun up and those dependencies are unpacked into a temporary folder and called as needed.

Those .pyc files, as it turns out, are extremely difficult for most modern antimalware tools to effectively scan. In many cases, the University of Piraeus duo found that when an individual .pyc file was scanned through the VirusTotal scanning suite, it was not properly analyzed and in many cases code that would normally be flagged as malicious was instead passed through.

In one example, the pair slipped in code for a reverse shell into a .pyc file through PyInstaller and inserted the same code into a JavaScript file and an uncompressed Python script. The JavaScript file was detected four times more often than the Python code. More importantly, the reverse shell code in the .pyc file went completely undetected by the full suite of AV tools in Virus total. This was all done out in the open, with no code obfuscation.

“There are many ways to bypass static analysis so in this sense finding a new AV bypass was not surprising,” Patsakis explained.

“The surprising part was that we did not have to actually hide the payload, which for a scripting language like Python was rather unexpected.”

What is more concerning, the researchers said, is that this problem is not simply a quirk of PyInstaller but reflective of a larger issue among security tools. It seems that there is a blind spot in many commercial antimalware tools when it comes to the way Python bytecode is handled and scanned.

Fortunately, a fix for the problem is not particularly difficult. The researchers believe that most commercial AV vendors are well-equipped to add support for Python bytecode into their scanning and antimalware detection tools. Once those features are added, consistently stopping Python-based malware would be feasible.

“The fix for AVs is not something difficult to apply, as .pyc are not hard to process and new rules can be added to their arsenal,” Patsakis said. “Therefore, we expect fixes to be soon applied from all AVs.”

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

The benefits of Python are plenty, but it’s not for everyone

With Packer, VM template creation is easy

How to automate Windows 10 imaging with Packer

Use Packer for Windows to enhance machine image automation

‘BadAlloc’ vulnerabilities spell trouble for IoT, OT devices

Maksim Kabakou – Fotolia

Stay informed about the latest enterprise technology news and product updates.

A week after Microsoft revealed 25 memory allocation vulnerabilities in several IoT and OT products, some devices have been patched, while others have not.

Microsoft disclosed several potentially dangerous vulnerabilities in IoT and operational technology products last week, but it’s still unclear what mitigations and patches are available.

In a blog post, Microsoft’s Security Response Center detailed its discovery of 25 memory allocation vulnerabilities, which its security research group refers to as “BadAlloc.” Exploitation of the vulnerabilities, many of which are critical, could lead to remote code execution (RCE), allowing adversaries to bypass security controls in order to execute malicious code or cause a system to crash. The BadAlloc vulnerabilities cover a wide range of technology, including consumer and medical IoT, industrial IoT, operational technology (OT) and industrial control systems (ICSes).

Microsoft said given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant risk for organizations of all kinds.

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs) and C standard library (libc) implementations,” the report said.

While Microsoft had not observed any in-the-wild exploitation, it recommended that organizations patch systems as soon as possible. However, applying updates to IoT and OT devices can be more difficult than traditional IT systems.

“At the same time, we recognize that patching IoT/OT devices can be complex,” the report said.

The Cybersecurity and Infrastructure Security Agency (CISA) simultaneously released an ICS advisory that warned the flaws affect multiple vendors and multiple critical infrastructure sectors; it also said the impact extends worldwide. The vulnerabilities include integer overflow or wraparound. Like Microsoft, CISA also recommended applying available vendor updates and that users take defensive measures to minimize risk.

According to the Microsoft blog, the memory allocation implementations written for IoT devices and embedded software have not incorporated proper input validations.

“Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” the report said.

We reached out to Microsoft to see how they discovered these vulnerabilities, but the vendor declined to comment.

The CISA advisory provided further details on the products and CVEs. Most of the listed CVEs scored a Common Vulnerability Scoring System (CVSS) rating above 7. Some more critical ones, including a flaw found in Red Hat newlib versions prior to 4.0.0, assigned as CVE-2021-3420, scored a CVE rating of 9.8 out of 10. While a majority of the BadAlloc flaws have updates available, the CVEs are still in the reserved phase, which, according to MITRE, means the details are not yet public.

We reached out to vendors regarding their responses to the Microsoft disclosure. A spokesperson for Silicon Labs said the software company has already made the updates available to Micrium OS users through Simplicity Studio and uCOS-II/uCOS-III via GitHub. At the time Microsoft published the report, an update had not yet been released for Micrium uCOS-II/uCOS-III.

Additionally, a spokesperson for Arm said it investigated findings from Microsoft regarding two of their products: Mbed OS, an open source operating system for the IoT and CMSIS-RTOS2. At the time the CISA advisory was published, an update was not expected for CMSIS-RT0S2 until June. However, the spokesperson said a patch was released Wednesday for users of the CMSIS-RTOS v2-based Keil RTX5.

“We have provided a patch to our Mbed partners that allowed them to provide this to any customers who were impacted, and we released the patch in both Mbed OS 5.15.7 and 6.9,” an Arm spokesperson said.

A third Arm product was listed — mbed-uallaoc — but according to the CISA advisory, it is no longer supported and no fix will be issued.

We contacted Texas Instruments, which has five products and four CVEs on the advisory, but the company did not respond. According to the advisory, one of those products, SimpleLink MSP432E4 has no update currently planned. We also reached out to Cesanta and NXP — two other vendors on the list — but neither company responded.

Attacks against ICS devices and OT have increased in recent years, and the ability to patch as soon as possible can be critical but difficult to achieve in this sector. In Dragos Inc.’s “Year in Review 2020” report, the industrial cybersecurity vendor said threats have increased threefold as more groups cash in on the cybercrime. Factors such as the CVSS being geared more toward traditional IT than OT and IoT contribute to patching challenges.

Related Resources

The Enterprise Buyer’s Guide To Iot Security 5 Must-Haves To Look For In A …
-Palo Alto Networks

Dig Deeper on IoT security issues

6 ways to spur cybersecurity board engagement

Weigh the pros and cons of technologies, products and projects you are considering.

New research suggests corporate boards are paying closer attention to cybersecurity, but experts say progress is still modest and slow.

Board-level cybersecurity engagement has improved in recent years, but progress is still painfully slow, according to 2021 research from Enterprise Strategy Group, a division of TechTarget.

Corporate boards’ subpar cybersecurity literacy and security leaders’ lack of business acumen have resulted in missed opportunities to align security and business objectives, leaving enterprises open to potentially catastrophic cyberthreats. In encouraging news, of 365 senior business, security and IT professionals surveyed by ESG, 85% said their boards of directors engage more meaningfully with cybersecurity strategies and decisions today than they did two years ago. Yet, more than two-thirds of respondents also said their organizations persist in viewing security as a “technology area” rather than a core business concern, despite the digital transformation well underway in the enterprise and increasing levels of overall cyber risk.

Jon Oltsik, senior principal analyst at ESG, said that, to understand cybersecurity, one first must understand IT — and many corporate boards simply don’t. “Let’s face it: Typically, a board is composed of 60- to 75-year-old men who had some success in business, probably before or in the early days of the internet,” he said. “They didn’t have the acute cybersecurity issues then that we have today, so there’s a gap.”

Security professionals — about 70% of whom hail from traditional IT backgrounds, according to ESG — have also contributed to this cultural disconnect by framing cybersecurity board reports in technological rather than layman’s or business terms, Oltsik added.

“Unfortunately, most CISOs don’t know how to translate technology into business language or how to use common analogies and colloquialisms to get away from the ‘bits and bytes’ of cybersecurity,” he said. As such, their presentations to boards — which typically care about financial profitability rather than technical proficiency — fall flat, ultimately leaving security teams without the support and resources they need to appropriately mitigate threats to the business.

If board members don’t understand cybersecurity, they may unknowingly accept a phenomenal amount of risk without realizing it.

Jon OltsikAnalyst, ESG

“If board members don’t understand cybersecurity, they may unknowingly accept a phenomenal amount of risk without realizing it,” Oltsik said.

Reactive vs. proactive cybersecurity board engagement

While ESG’s research showed the typical board is becoming more engaged with cybersecurity issues overall, the survey data suggested that’s often only because of an external catalyst, such as new regulatory compliance requirements or a data breach. Oltsik said the notorious 2018 Anthem Inc. breach, for example, triggered a reactive spike in board-level cybersecurity buy-in across the healthcare industry. “Every other organization said, ‘If it happened to Anthem, it could happen to us,’ and suddenly got religion,” he said.

Jon Oltsik

On a more positive note, a new CISO or the adoption of a formalized security program can also prompt an increase in cybersecurity participation in the boardroom. According to Oltsik, a savvy CISO will strategically court greater executive and director engagement by measuring cyber risk and preparedness from all angles and then explaining how the organization stacks up against industry peers, what needs to change and how much it would cost. “At that point, it’s a business discussion, which is what it takes,” he added.

Once a CISO has clearly communicated an existing or emerging cybersecurity risk and its implications for the business, its mission and its bottom line, the board has three options:

accept the risk;
mitigate the risk; or
transfer the risk, such as with cybersecurity insurance.

Notably, ESG’s research suggests proactive cybersecurity board-level engagement is growing but still relatively rare. Proactive engagement is driven by an overarching desire to strategically align security with organizational goals, rather than by external events. It requires an uncommonly high level of cybersecurity education, training and buy-in among corporate executives and directors.

How to advance cybersecurity in the boardroom and C-suite

About half of respondents in the ESG survey described their leadership teams as “very involved” in key cybersecurity activities, such as establishing budgets, prioritizing investments and establishing a security culture. While this suggests progress toward overall cybersecurity-business alignment in the enterprise, it also leaves much room for improvement — with researchers describing executive and board involvement in security initiatives as still “cursory at best” in many organizations.

ESG offered six recommendations for advancing cybersecurity’s standing in the C-suite and boardroom and throughout the enterprise.

1. Educate boards

ESG’s survey responses indicated ongoing cybersecurity education at the board level prompts corporate leadership to take a greater and more proactive interest in cyber risk mitigation. But CISOs looking to single-handedly change the perception of cybersecurity in the boardroom have their work cut out for them, Oltsik acknowledged. As a result, many security leaders recruit independent experts to help educate their boards on cyber risk, a move ESG analysts described as an enterprise best practice. According to Oltsik, executives and directors tend to perceive third-party consultants and academics as having a high degree of credibility, bolstering the CISO’s case for cybersecurity investment and creating a strong educational experience for the board.

2. Adopt a CISO-to-CEO reporting structure

CISOs should report directly to CEOs rather than to CIOs, most security experts agree. This reporting structure gives security a seat at the executive table, positioning CISOs to make meaningful contributions to the business and increasing senior leadership’s exposure to cybersecurity issues. A CISO-to-CIO reporting structure, on the other hand, pigeonholes security leaders as technologists and undermines cybersecurity-business alignment.

3. Foster a cybersecurity culture

All employees should participate in cybersecurity training and understand the critical role security plays in the overall success of the business. Leadership should also make every department responsible for relevant cybersecurity goals and metrics, giving everyone an active role in protecting critical business assets.

4. Formalize the cybersecurity program

A formal, top-down security program articulates high-level strategies and controls that align with the business’s vision and mission, making them explicit, actionable and trackable using clear documentation, KPIs and metrics. In addition to creating a roadmap toward a more secure enterprise, a formalized program also gives CISOs and boards a shared language with which to discuss cyber risk and security priorities, according to ESG.

5. Prioritize critical assets and initiatives

All cyber risk is not created equal — a truth too often lost on the enterprise, the researchers said. Organizations should identify their most sensitive and valuable assets and create proportionally aggressive risk modeling, monitoring and mitigation strategies to protect them.

6. Hire BISOs

According to the ESG analysts, a business information security officer, or BISO, can complement the CISO’s efforts by advocating for cybersecurity at a granular level within key business units, resulting in better overall security-business alignment on the ground.

Dig Deeper on Information security program management

Twilio discloses breach caused by Codecov supply chain hack

Stay informed about the latest enterprise technology news and product updates.

Twilio utilizes Codecov tools including the previously compromised Bash Uploader script. It said that a “small number” of customer emails were potentially exposed.

Another Codecov supply chain attack victim has come forward, and this time it’s cloud communications provider Twilio.

Twilio posted a blog Tuesday disclosing that a “small number” of customer emails had “likely been exfiltrated by an unknown attacker” who cloned Twilio’s code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.

“On April 22, 2021, we received a notification from that suspicious activity had been detected related to the Codecov event and a Twilio user token that had been exposed,” the blog read. “ had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov.”

The blog post explained that Twilio uses Codecov code coverage tools, including the compromised Bash Uploader script, in a small number of its projects.

After they identified the suspicious activity and found that some customer emails had been in the repositories, they initiated a security response that included a review of their security, notifying customers with exposed information and rotating all “potentially exposed credentials and secrets.” The post concluded by saying that they have no indication that any other customer data was accessed or at risk.

In a section of the blog post titled “What are we doing to prevent similar issues in the future?” the cloud communications provider said that it uses “a robust third-party security team” to evaluate vendors, both new and existing.

“This process ensures our technology supply chain always meets our standards for security. When we become aware of an incident or vulnerability within that supply chain, we move quickly to remediate the issue or remove the software from our environment,” the post read.

It is unclear whether Twilio has removed Codecov or dropped it as a vendor.

SearchSecurity asked Twilio whether the company had any indication regarding the attacker’s identity; the spokesperson declined to comment.

Twilio marks the second known company to disclose a security incident related to the supply chain attack involving Codecov. Cloud infrastructure vendor HashiCorp disclosed a breach on April 22. Like Twilio, a key part of the company’s response involved rotating relevant credentials.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Emerging cyberattacks and threats

Dell patches high-severity flaws in firmware update driver

Stay informed about the latest enterprise technology news and product updates.

SentinelOne discovered the flaws in Dell’s firmware update driver in December. There’s no evidence that hackers have exploited the 12-year-old vulnerabilities.

Dell has released a patch for five high-severity flaws discovered in a firmware update driver that companies could have used on hundreds of millions of Windows PCs since 2009.

Dell released this week a fix that will detect and uninstall the vulnerable dbutil_2_3.sys driver from computers. The company said it will release on May 10 a new version of the driver with “enhanced features for enterprise customers.”

There’s no evidence that hackers have exploited the driver vulnerability, said security company SentinelOne, which discovered the flaws and reported them to Dell on Dec. 1.

Companies might have unwittingly installed the flawed driver while using a firmware update utility package. They also could have installed it using one of the vendor’s tools. The utilities include the Dell Command Update, the Dell Update, the Alienware Update, the Dell System Inventory Agent or the Dell Platform Tags.

Companies can remove the flawed driver using the latest update of Dell’s utilities or a unique removal tool released by Dell. The vendor has also released instructions for clearing the driver manually.

The high-severity rating is due to the number of PCs and tablets possibly affected by the vulnerabilities. A hacker could not exploit the flaws over the internet.

Instead, an attacker could use phishing emails to exploit another vulnerability and then chain that to the driver. A malicious actor could also access the driver by gaining local, authenticated access to the computer.

Dell has published an FAQ that provides more information on potential risks from the driver vulnerability.

Antone Gonsalves is the news director for the Networking Media Group. He has deep and wide experience in tech journalism. Since the mid-1990s, he has worked for UBM’s InformationWeek, TechWeb and Computer Reseller News. He has also written for Ziff Davis’ PC Week, IDG’s CSOonline and IBTMedia’s CruxialCIO, and rounded all of that out by covering startups for Bloomberg News. He started his journalism career at United Press International, working as a reporter and editor in California, Texas, Kansas and Florida. He can be found on Twitter at @AntoneG.

Dig Deeper on Emerging cyberattacks and threats

US defense contractor BlueForce apparently hit by ransomware

Stay informed about the latest enterprise technology news and product updates.

The Conti ransomware operators demanded nearly $1 million in bitcoin during ransomware negotiations and threatened to publish the defense contractor’s data on its leak site.

U.S. defense contractor BlueForce has apparently been hit in a ransomware attack, according to a Conti ransomware chat and Hatching Triage sample.

The Hatching Triage page for the ransomware sample included a ransom note claiming to be from a threat actor who infected the victim with the Conti ransomware strain. The sample was shared with SearchSecurity by TechTarget sister site LeMagIT.

“All of your files are currently encrypted by CONTI strain,” the note read. “As you know (if you don’t – just “google it”), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software — the files might be damaged, so if you are willing to try — try it on the data of the lowest value.”

The note included both a standard URL and a .onion link to an active chat between a Conti operator and a negotiator who claimed to be from BlueForce Inc., a Virginia-based defense contractor that aims to “create and further develop the nexus between DoD [Department of Defense] and DoS [Department of State] with a skillfully blended mix of cross functional defense, interagency and international development expertise” according to its website.

A chat between Conti ransomware operators and a negotiator claiming to represent BlueForce Inc. The threat actor demanded 17 bitcoins — nearly $1 million as of this writing.

The chat’s original message from the ransomware operator, dated April 9, asks if the victim is ready to negotiate. Over two weeks later, the supposed victim replies, saying “please help, my files are encrypted!!!” After the ransomware operator asked the victim to identify themselves, someone in the chat responded Thursday morning and identified themselves as BlueForce and asked for next steps, as well as whether any data had been encrypted.

The threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files in order to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since.

BlueForce did not respond to SearchSecurity’s request for comment.

Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data, but threatening to publish it, too. Recent Conti victims include a number of London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Emerging cyberattacks and threats