Hello, welcome to the Wednesday, August 19th, 2020 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida. Today, Xavier brings us an

interesting piece of Python code that's intended to steal credentials from Google Chrome.

I may ask, do I have to worry about this because a lot of Windows workstations, of course,

don't have Python installed.

Well, an attacker typically will use Pi installer, which is a program that takes the Python code,

wraps it up with the Python interpreter and all the necessary libraries, and then essentially

presents it as a Windows executable.

Not exactly compiled, but really has the same feel to it. In this case,

the ad hacker was grabbing those credentials from Google Chrome and then exfiltrating them to

Dropbox. Dropbox is sort of an interesting target here. Don't really see this a lot. And of course, one of the stealthy properties here of Dropbox

is that this code will less likely get detected

because a lot of Enterprise, of course,

are using Dropbox in their day-to-day business. However, because the attacker did use Dropbox, it was actually possible to learn a little bit more about the attacker.

As part of this malware, an access token was included in the Python code and it was only, well, pretty basically obfuscated.

And as a result, it was pretty easy to use that access token, connect back to Dropbox,

and get some account information about the attacker, like, for example, the attacker's Gmail address, handle, and

additional information like a profile picture.

And then we have an interesting vulnerability in Jenkins, the DevOps tool, of course,

like many of these complex systems, there tend to be quite a few vulnerabilities

in this type of software, so always a good reminder to make sure that Jenkins is up to date.

This particular vulnerability, while it does have a CVSS rating of 9.4, I think it's probably a little bit tricky to exploit.

...