- CramHacks
- Posts
- CramHacks Chronicles #29: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #29: Weekly Cybersecurity Newsletter!
Semgrep Assistant, GitHub Copilot, Active Exploitation Targeting the Ray AI Framework, Stay Safe from Repo-Jacking, and more!
š„³ Happy Monday! š„³
I hope youāre doing well!
This week, I learned that people sell their bandwidth. Whatās even worse is that many people are unknowingly doing so.
Why does it matter? Well, say Iām at work and learn I could make a few bucks each week selling bandwidth, so I install this application. Congratulationsāyouāve just sold a backdoor into a corporate network.
More to come on this! Users do not need to install applications on their systems to do this. For example, in 2015, the popular Chrome extension Hola was called out for selling usersā bandwidth to botnets. At the time, Hola had ~9 Million users šÆ.
Table of Contents
Application Security
Highlight:
10x your AppSec program with Semgrep Assistant
Semgrep Assistant is officially generally available (GA)! Assistant offers Auto-triage, Auto-fix, custom rule-writing (beta), and prioritization suggestions.
š What Iāve loved most about Assistant PR comments is that it knows security tools (including Semgrep) arenāt perfect. Often, the most valuable assistant comments say, āHey, I think this finding is safe to ignore.ā Static code analysis has its limitations, but Assistant makes up for some of them.
Secure by Design Alert Eliminating SQL Injection Vulnerabilities in Software
CISA and the FBI issued a joint alert to eliminate SQL injection vulnerabilities following the Cl0p ransomware gangās exploitation of CVE-2023-34362 (MOVEit Vulnerability). The alert states that many have deemed SQL injection vulnerabilities to be āunforgivableā since 2007, yet still prevalent and listed among the top 25 most dangerous software weaknesses in 2023.
Unpatchable vulnerability in Apple chip leaks secret encryption keys
Researchers have uncovered an unpatchable vulnerability in Appleās M-series chips that enables the extraction of secret keys during cryptographic operations, due to a design flaw in the chipsā microarchitecture, necessitating software-level mitigations that may impair performance.
Artificial Intelligence
Highlight:
This past week, GitHub announced many new features, primarily related to GitHub Advanced Security and Copilot.
š For those of you who live in a terminal, Copilot in CLI might be a game changer.
ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild
Oligo Securityās Avi Lumelsky, Guy Kaplan, and Gal Elbaz share details of the ongoing exploitation of a disputed vulnerability, CVE-2023-48022, in the Ray AI framework, leading to thousands of public Ray servers being compromised for at least 7 months.
Cloud Security
900 Sites, 125 million accounts, 1 vulnerability
Researchers Logykk, xyzeva/Eva, and MrBruh detail how they scanned the internet for misconfigured Firebase instances and obtained the following:
All (records): 124,605,664
Names: 84,221,169
Emails: 106,266,766
Phone Numbers: 33,559,863
Passwords: 20,185,831
Billing Info (Bank details, invoices, etc): 27,487,924
Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks!
Datadog Security Researchers Christophe Tafani-Dereeper & FrƩdƩric Baguelin discuss securing Kubernetes clusters against real-world threats by proposing a prioritized security roadmap for containerized workloads, emphasizing the need for threat modeling and highlighting common attack vectors and mitigation strategies for both the control and data planes of managed Kubernetes distributions.
š My biggest takeaways based on my limited understanding of Kubernetes were, āThe best Kubernetes is no Kubernetesā and if you do need it, managed Kubernetes services are the way to go - this reduces the odds of security misconfigurations in the control plane.
This was a guest post on tl;dr sec; if youāre not already subscribed to their newsletter, I strongly suggest you do so!
Miscellaneous
Mozillaās first-ever Annual Consumer Creep-O-Meter
Iāve been impressed by Mozillaās privacy efforts ever since they disclosed how Nissan & Kia collect data about the ownerās sex life.
The big takeaways from the annual review are:
Products are getting more secure, but also a lot less private.
An increasing number of products canāt be used offline.
Privacy policies are getting ridiculous.
U.S. Accuses Two Men of Stealing Tesla Trade Secrets
A Canadian man who lives in China was arrested in New York, along with his business partner, after meeting with undercover agents on Long Island and trying to sell them technology used to produce Tesla battery parts.
š They were arrested on/in Long Island, NY - thatās where Iām from! Long Island has apparently gotten much more cool since Iāve left.
Long Island company admits it illegally sold Chinese-made equipment to U.S. military
Aventura and senior managers were charged in 2019 but just pled guilty to selling surveillance equipment to the U.S. military and labeling it as American-made.
public-pentesting-reports
A list of public penetration test reports published by several consulting firms and academic security groups.
Neuralink: Brain chip patient plays online chess with his thoughts
š This is the coolest thing Iāve seen in my life.
Software Supply Chain Security
Over 170K Users Affected by Attack Using Fake Python Infrastructure
Checkmarx Security Researcher Tal Folkman details the discovery of a malicious package being distributed via a fake Python mirror. The attacker hijacked GitHub accounts to make malicious commits that updated the requirements.txt file to download a trojan version of the āColoramaā package from āfiles[.]pypihosted[.]orgā instead of the official Python mirror āfiles.pythonhosted.org.ā
How to stay safe from repo-jacking
GitHubās Kevin Backhouse explains ārepo-jackingā and why itās not something to worry about if youāre using a package manager like npm or PyPI. However, when pulling packages directly from GitHub, this attack vector has some nuanced opportunities, e.g., if youāre using GitHub Actions, the Go programming language, or git submodules.
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! š
Donāt hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle