[German]Cybercriminals are attacking systems with ransomware via the popular open source software Jupyter Notebook. Team Nautilus, Aqua Security's research unit specializing in the cloud-native technology stack, discovered this new attack method. Aqua Security is the largest provider of pure cloud native security. The team was able to uncover for the first time a Python-based ransomware attack targeting Jupyter Notebook, an open-source software popular with data scientists.
Advertising
Jupyter Notebook is a web-based interactive environment used to create Jupyter Notebook documents. A Jupyter Notebook document is a JSON document with a versioned schema consisting of a list of input and output cells, each of which can contain code, text, and plots. The file name extension is ".ipynb". A Jupyter notebook can be converted to various formats (HTML, PDF, LaTeX, and slides for presentations) from within the browser interface.
The attack
In a statement to borncity, the Nautilus team writes that attackers first gain access to the server through misconfigured environments. Then they execute a ransomware script that encrypts every file in a certain path on the server. To disguise the attack, the script deletes itself after execution. Since Jupyter Notebook is used to analyze data and create data models, this attack can cause significant damage to organizations if these environments are not properly secured.
Souce: Aqua Security
The researchers set up a honeypot with a Jupyter application connected to the Internet to simulate a real corporate environment. It thus contained access to real instances of Jupyter notebooks and raw data that the attacker could encrypt. Tracee of Aqua Security, an open-source runtime security and forensics tool for Linux, was used to detect the attack.
How to protect yourself?
There are some recommendations for Jupyter Notebook users to protect themselves against this method:
Advertising
- Use tokens or another authentication method to control access to your data development application.
- Ensure that you use SSL to protect data in transit.
- Limit inbound traffic to the application by either blocking Internet access completely or, if the environment requires Internet access, use network rules or VPN to control inbound traffic. It is also recommended that you restrict outbound access.
- Run your applications with a non-privileged user or a user with limited privileges.
- Be sure you know all the users on the Jupyter notebook.
You can query the users in a Sqlite3 database, which should be found at the following path:
'./root/.local/share/jupyter/nbsignatures.db'
If SSH access to the server is enabled, you can also check the files containing the authorized SSH keys to make sure you know all the keys and that there are no unknown users or keys.
Aqua Security has published a detailed blog detailing the Team Nautilus honeypot and the kill chain of the observed attacks: Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks
Advertising