This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown
The ides of security March are upon us — Qualys reports the discovery by their threat research unit of vulnerabilities in the Linux AppArmor system used by SUSE, Debian, Ubuntu, and Kubernetes as an additional security mechanism and application firewall.
AppArmor was added to Linux in 2010, and the vulnerabilities Qualys discovered have been present since 2017, and allow unprivileged (non-root) local users to elevate privileges by executing arbitrary code in the kernel, gaining root access, or perform a denial-of-service attack across the entire system by replacing all AppArmor behavior with “deny all” rules.
All Linux kernels since Linux 4.11 are vulnerable. If your Linux distribution enables AppArmor, and quite a few do, you’ll want to be updating as soon as fixes are available from your distribution maintainers. On systems with untrusted users, such as shared environments, VPS server environments, and the like, this is even more critical and urgent. Even on single-user systems, vulnerabilities like these allow other exploits, like the Python attack below, mechanisms to elevate their access and persistence.
At the time of writing, the full details of the AppArmor vulnerability are limited until the Linux Kernel team releases a stable version with the fixes for distribution maintainers. Qualys has published the technical write-up with the currently public information.
Python Projects Compromised
StepSecurity reports on a new campaign to infect Python projects on GitHub with a complex malware that, once deployed, appears to be yet another crypto and login stealer.
The attacker first gains access to the GitHub credentials via another info stealing worm – the Glassworm stealer infects VSCode extensions with over 35,000 downloads of infected extensions in October of 2025. Glassworm harvests NPM, GitHub, and OpenVSX credentials and sends them to a remote command and control (C2) server. It also harvests a wide range of crypto currency wallet extensions to steal crypto directly.
The actual mechanism of compromise is the most interesting aspect of what is otherwise an aggressive malware, but in many ways, just another crypto stealer. ForceMemo gains its name by using a series of Git tricks to attempt to hide its activity: instead of simply generating a git push or GitHub pull request, the malware rebases the last commit in the repository, injects the malware into the Python scripts, and performs a force push to silently replace the last commit record.
Once infected, a Python project runs the payload as soon as a consumer runs the setup.py command to build and install the package. The payloads are heavily obfuscated and encrypted, but StepSecurity believes once triggered, ForceMemo harvests SSH keys, GitHub tokens, and crypto wallet tokens, as well as connecting to multiple C2 servers and installing remote access and proxy tools for future activity.
With the malware infecting Python projects indiscriminately, this exposes developer workstations with internal credentials and CI/CD environments with production credentials equally.
Ubuntu Snapd flaws
Apparently on a roll, Qualys also discovered that the Ubuntu Snapd system — the service responsible for managing packages and services in the Snap format — allows for privilege escalation. The Ubuntu report is low on details, stating only that improper handling of “certain operations” in a snap package tmp directory could cause systemd-tmpfiles to recreate the files, allowing replaying commands and gaining “escalated privileges”.
Fixes are available for all recent Ubuntu releases, however Ubuntu 20.04 and older require the paid “Ubuntu Pro” subscription to get them. As always, the advice is to patch as soon as possible – once a vulnerability is known it becomes a vector for malware and other attacks, such as a credential stealer gaining root access to reinstall itself.
UniFi Network Application
UniFi is often a popular networking choice for home lab and networking geeks, and probably has a higher-than-average usage rate among readers here. The company reports a high-risk vulnerability in the UniFi Network Application component of the management service and a second high risk vulnerability in the NoSQL implementation.
UniFi lists the vulnerability as a path traversal bug allowing access to files on the server. Path traversal bugs are validation bugs involve forming URLs which reference files outside of directories the web server would normally be allowed to serve files from. In a properly paranoid server, paths are resolved to the final file, then checked to make sure that serving that file is allowed, but in a naive implementation the paths are simply concatenated, allowing a requested file path – for instance “../../../../../../../../../etc/passwd” – to escape the web server directory and serve a file directly from the filesystem. Because it’s always possible to go back a directory, even from the base of the filesystem, so often an attacker will simply add a dozen, or more, “../” references to brute force assume that it will find the root of the system eventually.
On the NoSQL side, there are even fewer details, but UniFi lists it as a SQL injection vulnerability which can lead to elevated privileges. Fortunately, the vulnerability seems to require access to a network which can reach the UniFi controller – this won’t open every install to a drive-by attack from the parking lot or the Internet at large.
If you run a UniFi system, still be sure to get the latest updates – it’s never a good idea to leave vulnerabilities in place, even on an internal network. Increasingly, complex attacks are taking advantage of multiple vulnerabilities to access internal services once a single external vulnerability is found, and this is taking place on home networks as well as corporate!
Gov Collab Shuts Down Botnets
Finally, Brian Krebs reports on a multi-national effort by Germany, Canada, and the United States to shut down the Kimwolf, Aisuru, Jackskid, and Mossad botnets, credited with being the source of world-record-breaking denial of service attacks.
The majority of devices forming the Kimwolf botnet appear to be Android TV devices with poor security, sold by major US retailers. Residential proxy networks, malware disguised as cheap or free VPNs, or other malware infections installing proxy servers, allowed attackers access to the internal home networks of infected users, exposing the vulnerable set-top boxes.
The shutdown of the botnets appear to be coordinated with the arrests of operators of the botnet services in multiple countries and seizure or shutdown of the C2 servers operating the network. When patching hundreds of thousands of infected devices is impractical, taking control of the infrastructure to prevent further abuse is usually the next best step.