Researchers alert of likely future ransomware attacks against web applications used by data researchers Scientists have discovered what they think to be the first Python-based ransomware sample particularly targeting Jupyter Notebooks. Python is not commonly used for establishing malware, with wrongdoers choosing languages like Go, DLang, Nim and Rust.
Nevertheless, this is not the very first Python ransomware. In October 2021, Sophos reported on a Python ransomware specifically targeting VMware ESXi servers.
The new sample was discovered by researchers at Aqua Security, after it was caught in one of its honeypots. The ransomware particularly targets Jupyter Notebooks, an open-source web app utilized by data professionals to work with information, compose and perform code, and imagine the results. This ransomware secures every file on an offered path on the server, and after that deletes itself after execution.
“Given That Jupyter Notebooks are utilized to analyze data and build data models, this attack can cause considerable damage to organizations if these environments aren’t correctly supported,” alert the scientists in an alert provided on March 29, 2022.
Given That Jupyter Notebooks are web apps, they struggle with all the basic web app issues, consisting of misconfigured or missing out on access authentication. The Nautilus researchers discovered around 200 internet-facing Jupyter Notebooks (some but not all may be honeypots) without any authentication. Each one of these could be accessed by an attacker with nothing more than a web browser, and the environment could be infected by hand.
Aqua scientist Assaf Morag told SecurityWeek, “There are more than 11,000 servers with Jupyter Notebooks that are internet-facing, so you can run a brute force attack and perhaps access to a few of them– you would be surprised how simple it can be to think these passwords.”
The sample trapped by Aqua is not a complete sample. It does not, for instance, include evidence of a ransom note. “We believe,” Morag informed SecurityWeek, “that the attack either reached a timeout on the honeypot, or that the ransomware is still being checked prior to real world attacks.”
However, the scientists believe from what they have that this is ransomware rather than a wiper weapon. “Wipers normally exfiltrate the information and clean it or simply clean it,” continued Morag. “We haven’t seen any effort to send out the data outside the server and the data wasn’t just wiped, it was secured with a password (by hand picked by the aggressor). This is another factor that leads us to believe that this is a ransomware attack rather than a wiper.”
He also believes– since of a resemblance to other Python ransomware– that the enemy just took existing code, and modified and changed it to his own needs. He does not have any details that could attribute the ransomware to any known group. Nevertheless, he comments, “The first thing the attacker did to understand that he can download files from a remote source was to download a text file that contains exclusively the word ‘blat’. This is a dirty word in Russian and something that we have seen in the past by Russian assailants.”
There is a strong possibility that this partial ransomware attack spotted by Aqua is the leader of real-life attacks versus Jupyter Notebooks. Considering that a built-in function of the application allows the user to open a shell terminal with more access to the server, the potential for harm is substantial.
Aqua suggests that access to Jupyter Networks be effectively validated; incoming traffic be controlled by getting rid of web gain access to or restricting it to VPN access; usage be constrained to non-privileged or minimal privilege users; and outgoing traffic be managed as fully as possible.
Aqua Security provides a cloud native application security platform (CNAPP). It was founded in 2015, and achieved unicorn status in 2021.
Related: Necro Python Botnet Starts Targeting Visual Tools DVRs
Related: Facebook Open Sources Analysis Tool for Python Code
Related: Python-Written CannibalRAT Utilized in Targeted Attacks
Related: Regardless Of Warnings, Cloud Misconfiguration Issue Remains Disturbing
Kevin Townsend is a Senior Factor at SecurityWeek. He has actually been discussing high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles released in lots of different publications– from The Times and the Financial Times to present and long-gone computer magazines.Previous Columns by Kevin Townsend
