Light Dark
September 13, 2021 By Mike Elgan 3 min read
Software Vulnerabilities
Intelligence & Analytics
Advanced Threats
Cloud Security
Data Protection
Malware
Risk Management
Security Services

Malware can show up where you least expect it. Researchers discovered a logic bomb attack in the Python Package Index (PyPI) repository, which is code repository for Python developers and part of the software supply chain. Attackers aimed to get honest software developers to include the bombs in their applications by accident.

The researchers found six malicious payloads, all uploaded by a single user. The attacker designed them to run during a package’s installation. People have collectively downloaded these payloads around 5,000 times. Some of the logic bombs were typosquats, designed to trick people into thinking they were normal programs. Their purpose: to hijack developer systems for cryptomining.

The PyPI event is complex because it combines three different kinds of attacks: logic bombs, cryptojacking and software supply chain attacks.

It serves as a reminder to all businesses and agencies to guard against all three kinds of attacks.

The threat posed by these kinds of logic bombs and the threat posed by supply chain malware attacks call for an industry-wide approach by developers, repositories and the larger world of security tools and specialists. But that’s for the longer term. In the short-term, you need to protect your group from this brand of attack.

Defusing a Logic Bomb

A logic bomb can also be called a code bomb, cyber bomb or slag code. It’s a set of instructions that execute under certain conditions, usually with malicious intent.

One challenge with logic bomb attacks is that they don’t do anything at first. You can’t find them by hunting for strange behavior while they’re dormant. Another is that they vary in form and function from one another. Avoiding known patterns helps malicious actors plant logic bombs that victims can’t easily detect.

The payload is the problem. They can do any number of things, including stealing data, deleting or corrupting data, locking systems or launching cryptomining processes.

One common type is called a time bomb, which means that the triggering condition of the malware is a date and time. Others trigger after some specific event or activity on the machine where it’s installed. Attackers can install this kind of malware on multiple systems within an organization, the many instances increasing the chance that the malicious payload will have its intended effect. The time trigger assures that the triggering of one bomb won’t tip off security professionals to the existence of the others.

Either way, it’s possible to find and destroy logic bombs before they go off.

Cracking the Code on Cryptojacking

This goes hand-in-hand with cryptojacking, the illicit hijacking of resources for cryptomining. Attackers can steal huge bandwidth and compute, energy and, in the end, financial resources as it works to solve the equations needed for mining currency. In fact, the high resource demand — the high cost of cryptomining — is exactly why attackers are stealing it with cryptomining malware.

Beyond that, crypto-malware poses a risk because its behavior is hard to predict. In addition, it’s a foot in the door for other kinds of payloads and breaches. Protecting against it should be a high priority.

How a Logic Bomb Can Hit the Supply Chain

Software supply chain attacks — when threat actors add malicious code in third-party software with the aim of compromising applications that use that software — are among the most challenging. That’s because they simply happen in trusted software from trusted sources. The infamous SolarWinds attack put supply chain attacks on the front pages of mainstream newspapers and revealed just how damaging and widespread this kind of attack can be.

How to Defend Against a Logic Bomb

The best approach to guarding against these attacks — logic bombs, cryptojacking and supply chain attacks — can be summed up (but simplified) with one phrase: Know your networks. To be more specific, make sure you’re covered in the following areas:

  • Get to know your suppliers’ security posture and practices as well and revisit the risks from suppliers frequently
  • Open-source supply chain attacks merit special attention because they’ve grown massively in the past two years
  • Use red team tests to learn how supply chain attacks could play out within your organization and figure out how to best respond
  • Blacklist mining sites, pirate software sites and other sites are likely to lead to shady downloads
  • Disable JavaScript, if feasible
  • Keep all systems up to date on security patches
  • Keep security and IT personnel up to date on current knowledge around compromised software and to take action on known issues
  • Train employees on basic digital safety awareness and practices.
 |  |  |  |  | 
Mike Elgan

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

March 21, 2023

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature