- CramHacks
- Posts
- [CramHacks] Newsletter #1
[CramHacks] Newsletter #1
CramHacks Chronicles: Key Insights On Information Security & Software Supply Chain Risks
đ„ł Happy Monday! đ„ł
Life Update
HI Kauai! See what I did there? (HI == Hawaii) - that was a good one.
Itâs time for a vacation đââïž âïž but that doesnât mean the world stops turning. Iâm definitely excited to explore, surf, and relax; albeit it typically takes about a week for my technology withdrawals to subside. But, with the help of this newsletter, Iâve never been more motivated and I know this short break will produce some nice ROI in terms of productivity.
Information Security
Microsoft: Storm-0558 Key Acquisition
Microsoft Security Response Center (MSRC) released its investigation findings following the July 11, 2023 announcement detailing an attack by China-Based threat actor, Storm-0558. The attack consisted of using an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.
âStorm-0558 actor was able to successfully compromise a Microsoft engineerâs corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we donât have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.â
Following this incident, CISA and Microsoft worked together to identify critical logging data to be included in Microsoft Purview Audit (Standard). As you might have experienced, it can be infuriating to try and assess whether your environment has been impacted by an incident caused by Microsoft, only to find out you donât pay enough money to do so.
Google: North Korean campaign targeting security researchers
Googleâs ClĂ©ment Lecigne and Maddie Stone share how government backed actors in North Korea are targeting security researchers, building rapport via social media, and then deliver a malicious file containing 0-day(s) targeting popular software.
Additionally, the malicious actors created a Windows trojan stated to "download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.â that actually enabled downloading and executing arbitrary code from an attacker-controlled domain.
Apple: NSO Group The BLASTPASS Exploit Chain (Pegasus)
ââALERT: State-sponsored attackers may be targeting your iPhone,â it read. More spam, I thought.â -The Daily Mailâs Glen Owen
Citizen Lab announced the discovery of a zero-click, zero-day exploit used to deliver NSO Groupâs Pegasus mercenary spyware; labeled BLASTPASS Exploit Chain. Appleâs latest security update offers some insight as to where these vulnerabilities(CVE-2023-41064 and CVE-2023-41061) reside.
MGM: Operations in shambles due to Cyber Attack
TechCrunchâs Carly Page discusses the (at the time of writing this) ongoing cyber attack that has halted much of MGMâs operations. All of MGMâs Grand Hotels & Casinos properties have been impacted by outages.
âAccording to reports on social media, the incident has led to outages impacting ATM cash dispensers and slot machines at MGMâs Las Vegas casinos, and forced hotel restaurants to accept cash-only payments. Guests also report that they cannot charge anything to their rooms and are unable to use their digital room keys.â
Software Supply Chain Security
CISA: Open Source Software Security Roadmap
âThe roadmap lays out four key priorities to help secure the open source software ecosystem: (1) establishing CISAâs role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem. â
Overall, itâs about what I expected, and Iâd be shocked if CISA isnât taking this straight from healthcares playbook. The roadmap reminds me of preventive vs reactive healthcare, which we now know works! In the longterm, promoting good hygiene at home, such as washing your hands and getting your annual checkup, has serious benefits - who wouldâve known. If we all washed our source code before we leave the bathroom, OSS will see similar benefits đ.
Semgrep: Managing Transitive Supply Chain Risks
Whoop, my own article made the Newsletter đ„ł. This article discusses transitive dependencies, prioritizing risks based on reachability & exploitability, and why todayâs issues arenât going anywhere anytime soon.
Palo Alto: Unpinnable Actions - GitHub Actions Workflows
Palo Altoâs Yaron Avital will make you rethink whether you should be trusting your GitHub Actions. Yaron goes over methods malicious actors may use to embed malware in Docker container, composite, and JavaScript actions, regardless of whether or not the action is configured to require action pinning.
âOf approximately 6,000 workflows used in 2,000 projects, we discovered that 67% of the projects pinned unpinnable actions.â
Checkmarx: Malicious PyPI packages laced with WhiteSnake Malware
CheckMarxâs Yehuda Gelb, dissects Threat actor PYTA31âs distribution of malicious packages in the PyPI repository from April through mid-August.
The WhiteSnake Malware, otherwise known as âWhiteSnake Stealerâ, exfiltrates sensitive data from target machines through Command and Control (C2) servers. The exfiltration consists of uploading bulk data via a file-sharing service, and sending a shared link to the data using a telegram channel to avoid detection.
Checkmarx: New Exploit - Renaming Operations Enables Repojacking
CheckMarxâs Elad Rapoport & Yehuda Gelb determine 4,000+ GitHub repositories are vulnerable to repojacking attacks due to a race condition within GitHub's repository creation and username renaming operations. CheckMarx responsibly disclosed the issue to GitHub who has subsequently fixed the issue.
âThe steps to reproduce this exploit are as follows:
Victim owns the namespace âvictim_user/repoâ
Victim renames âvictim_userâ to ârenamed_user.â
The âvictim_user/repoâ repository is now retired.
An attacker who owned the username âattacker_userâ prepares a command which practically simultaneously creates a repo called ârepoâ and renames the username âattacker_userâ to the victims also username, âvictim_userâ. This is done using an API request for repository creation and a renamed request interception for the username change.â
NightOwl: Dark Mode to Really Dark Mode
Gizmodoâs Kyle Barr discusses how an application released in mid-2018, intended to enable dark mode for MacOS users, can result in some odd behaviors. NightOwl was sold earlier this year, and the new ownership opted to proxy network traffic to âsolely collect usersâ IP addressesâ. Please just uninstall this thing. I wonder how many dormant apps are now malware.
Miscellaneous
The Beginner's Guide to Cybersecurity
Francis Odum shares a great overview of modern day cybersecurity and relevant vendors. Iâd absolutely recommend this to anyone and everyone, but maybe keep in mind that a tool isnât the answer to everything. One example are Enterprise Browsers - if you think your organization requires an Enterprise Browser, you probably shouldnât be finding out via a Beginnerâs Guide to Cybersecurity đ.
Mozilla: Nissan & Kia collect data about sex life đ€
Mozillaâs Jen Caltrider, Misha Rykov, and ZoĂ« MacDonald share the highlights of their *Privacy Not Included research which resulted in all 25 car brands evaluated receiving the coveted âWarning: *privacy not included with this productâ label.
Some that stood out to me:
84% can share your personal data & 76% can sell it
Hyundaiâs privacy policy states that they will comply with âlawful requests, whether formal or informal.â
Nissanâs includes collecting data on âsexual activityâ & Kiaâs includes collecting data on âsex lifeâ - I have so many questions
Teslaâs states the following if you opt out of the data collection program âThis may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.â
ATMs: Printing money with a Raspberry Pi
Three men in Lubbock, Texas, were arrested after using a Raspberry Pi to disable security controls and force ATMs to spit out đ°ïžđ°ïžđ°ïž.
Until Next Time! đ
Hey, you made it to the bottom â thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! đ
If you think someone could benefit from this, donât hesitate to forward.
See you next Monday!
-Kyle