Edgewise is now part of the Zscaler family. Learn More
 
 

How identity-based Zero Trust can prevent a Python backdoor attack

Scripting attacks are emerging as a primary vector for cybercriminals. In fact, in the U.S., scripting attacks have become almost as common as malware, and, in EMEA, scripting accounts for by far the majority of cyberattacks, according to the most recent Crowdstrike Global Threat Report. Malicious scripts have even been leveraged by state-sponsored hacking organizations such as China’s Deep Panda and as a key element of multi-faceted attacks, such as the Emotet trojan. Iran used a MechaFlounder Python backdoor attack against Turkey last year. 

It’s no wonder that they’ve become such a powerful vector. With very little effort, less than 100 lines of a script — whether it’s Python, PowerShell or some other scripting language — can gain a foothold in the network, create a backdoor and gain essentially all the access of an administrator. We took a really deep dive into scripting attacks with the Security Weekly video podcast, which you can view behind the link. I’ll give you a quick overview of the conversation here, but there’s a lot more detail in the video.

 

While there are many scripting languages out there, Python is a favorite of cybercriminals for many reasons. For one, it’s pervasive. On most *NIX systems, it’s installed by default. It’s also simple to use. In the video above, we show how to create a fully functional backdoor with a mere 76 lines of code. It includes persistence, so even if you kill the process, it will start itself back up, and it obfuscates communications both internally and with external servers. In fact, you don’t have to write any code to launch an attack. Python backdoor scripts are everywhere. We did a simple GitHub search and came up with 230. 

Easy to Unwittingly Install, Hard to Detect

Scripting attacks are also hard to detect. Because Python is so heavily used by admins, the traffic these attacks create look exactly like that produced by ordinary, day-to-day tools. There’s no clear signature, so it typically bypasses endpoint detection and response (EDR) systems.

What’s more, getting those scripts into a network isn’t very hard. A simple ruse is to inject a malicious script into a commonly used library and then adjust the file name to a common typo for the real one, which is why it’s so critical to use TLS-based connections, package signing, SHA-256 verification and other means to ensure that you’re connecting to and downloading the genuine file. But even if you don’t use that particular compromised library, the malicious script could show up in perfectly legitimate libraries that somewhere down the chain incurred a dependency on a compromised library. It doesn’t take much, given how massive the list of dependencies can be in many libraries. 

But attackers can get even more sneaky. For example, let’s say I’m targeting you and know your username at StackOverflow. All I need to do is wait for you to ask a question and quickly respond with a Python code snippet that looks completely benign, ready to cut-and-paste into your work. After all, plenty of startups have trained us to copy and paste code to download and install their software. We all know it’s a risky practice, but in the interest of time and convenience, many of us do so anyway. 

Once the script is running inside your system, it can set up persistence by, say, establishing a crontab that restarts the script, even if it’s killed. As a result, you’ll need to kill the process and the crontab in the right sequence at exactly the right time to get rid of it for good. It won’t have much difficulty establishing command and control either, as there are a myriad ways to obfuscate traffic, both internal and outbound, so that communications look completely normal. From here, it can set up to do just about anything an admin can do, including retrieving malware and depositing it throughout your environment. 


Stay on the cutting edge. Subscribe to our blog.


Fighting Back Against Python Backdoors

Traditional defenses aren’t very effective in fighting scripting attacks. As already discussed, EDR has difficulty detecting them, and firewalls won’t be much use in stopping the attack from moving throughout the environment. That’s because firewalls depend on network addresses to determine whether traffic is “safe.” Unfortunately, though, they can’t verify exactly what is communicating on either end, so it’s not hard for malicious software and scripts to piggyback on “safe” network addresses.

The best way to protect yourself against scripting attacks is to adopt a true Zero Trust approach. I say “true” Zero Trust, because any approach that uses network addresses to create policies cannot be effective. It’s critical to verify what is communicating, whether it’s a device, software or a script, and at Edgewise, that’s exactly what we do. 

Our Zero Trust Platform uses an identity-based approach, which means the platform creates a unique identity for each workload. These “fingerprints” are made up of dozens of immutable properties, such as SHA-256 hash of a binary, the UUID of the bios or a cryptographic hash of a script. In this way, we can decouple segments and policies from the network, which enables us to provide 100% protection for any segment with no more than seven policies. 

These policies state explicitly which devices, software and scripts are allowed to communicate with one another, and all other traffic is blocked by default. In this way, we can prevent scripts from establishing backdoors, accessing sensitive assets and deploying malware throughout the environment. 

Identity-based Zero Trust is the simplest way to protect your business against scripting attacks, and Edgewise can microsegment and create policies for your environment in just 1-click. It really is impossibly simple!

Want to go even deeper? Watch our webinar on preventing Python backdoor attacks or the video podcast with Security Weekly on the same topic. 

Dan Perkins, Director of Products & Solutions

Written by Dan Perkins, Director of Products & Solutions

Dan Perkins is Director of Products and Solutions for Edgewise Networks, where he oversees the direction and development of Edgewise’s zero trust platform. Prior to Edgewise, Dan was Director of Product Management at Infinio, where he was responsible for product vision and the ongoing quality and applicability of Infinio’s solution. He also previously served in several software engineering and quality assurance roles for Citrix. Dan holds a B.S. in computer engineering from Northeastern University.