Software

Mega-bites of code: Python snakes into 1st place for cyber-attacks

Hackers share general public's love of popular programming language


Python, either the world's most popular programming language or a close runner up, turns out to be the most widely used language for hacking tools.

Security biz Imperva came to this conclusion after looking at GitHub and finding that more than 20 per cent of GitHub repositories for attack tools and proof-of-concept exploits are written in Python.

"In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af, Sqlmap, and even the infamous AutoSploit tool," the company explained on Wednesday in a blog post, adding that hackers enjoy Python's advantages – easy to learn, easy to read, comprehensive libraries – just like everyone else.

Python shows up not just in GitHub repos but in incidents as well. Imperva claims that in its security incident data, the largest group of the web clients it can identify (~25 per cent) are based on Python.

Majority

Looking at Python usage in attacks against sites under Imperva's protection, the company found that up to 77 per cent were hit by a Python-based tool and that in at least a third of these incidents, the majority of daily attacks could be attributed to Python-written code.

The security biz points to Urllib and Requests as the two most popular Python libraries used by attackers, with asyncio, a relative newcomer, just starting to show signs of adoption. Among the most common attacks involving Python tools, the two most popular in the past two months targeted a PHP-based remote execution flaw in the PHPUnit framework (CVE-2017-9841) and a remote code execution flaw in Joomla (CVE-2015-8562).

Imperva's observations don't offer much insight into whether mitigating Python-based attacks is any different from dealing with other kinds of exploits. But the company does note, "Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability." Presumably, defending against amateurs offers better odds than the alternative.

IBM Fellow Grady Booch told The Register that Imperva's observations seem reasonable. "I’ve not dug into Imperva’s data or methodology, but it seems correct on many levels: Python is popular for it is used most often at the edge of systems where software is far more disposable (and where there is less risk and therefore less discipline, compared to – for example – the infrastructure of a system)," he said.

Thomas Reed, director of Mac and mobile for security biz Malwarebytes, said he tends to agree with Imperva's findings. "We’ve seen some malware for the Mac coded in nothing but Python!" he told us, pointing to EvilOSX, Bella, and Pupy. "Python is pretty popular with the white hats too... it’s my scripting language of choice these days, and is popular with many other Mac security pros and admins. There’s even a way to include Objective-C methods in Python scripts, via pyobjc, for additional power." ®

Send us news
16 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Over 170K users caught up in poisoned Python package ruse

Supply chain attack targeted GitHub community of Top.gg Discord server

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know

In-app browsers are still a privacy, security, and choice problem

Regulators reminded that longstanding concerns haven't been addressed

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

Simply look out for libraries imagined by ML and make them real, with actual malicious code. No wait, don't do that

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are

Securing open source software: Whose job is it, anyway?

CISA announces more help, and calls on app makers to step up