[CramHacks] Newsletter #2

CramHacks Chronicles: Key Insights On Information Security & Software Supply Chain Risks

Author

Kyle Kelly
September 20, 2023

šŸ„³ Happy Monday! šŸ„³ 

Life Update

Today is our final day in Kauai, HI and what a trip. Our helicopter tour was amazing (image below), albeit terrifying as I hate heights. Ultimately, Iā€™m leaving Hawaii with a better understanding of what makes me happy.

It was pretty simple - I tried my hardest to stay off technology, and whenever I craved reaching for my phone or laptop, I made a mental note of what I was so excited about that it couldnā€™t wait. Itā€™s kind of amazing how much happier we could all be if we just did the things that we want to do; super crazy idea.

Information Security

A Coordinated Vulnerability Disclosure (CVD) report from wiz.io discloses an incident involving a Microsoft employee who shared a URL including an overly-permissive Shared Access Signature (SAS) token for an internal storage account.

ā€œData exposed in this storage account included backups of two former employeesā€™ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues. No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.ā€œ

Gabe_k discloses CVE-2023-38146 which chains together a series of issues that can lead to arbitrary code being executed when a user loads a .theme file on Windows 11. The issue was originally reported on May 15th, 2023, but only recently fixed as of September 12th, 2023. Steps to reproduce this exploit can be found at: https://github.com/gabe-k/themebleed

vx-underground shares the details of LockBitā€™s recent affiliate poll which suggests regulating ransom demands. LockBit states that newer affiliates are giving large discounts out of desperation for money which impacts other affiliates. Two options proposed were setting a minimum payment to be 3% of the victim companies annual review, with the option of a 50% discount and not accepting a payment below the victims maximum ransomware insurance policy.

SC Mediaā€™s Derek Johnson reports on the US governmentā€™s lawsuit targeting Penn State under the False Claims Act ā€œsaying the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government.ā€ It was honestly hard not to laugh while reading this but when we rely on self attestations for compliance, we apparently get some good comedy.

For example, according to the article, the university ā€œsimply uploaded template documents to ā€˜solveā€™ the missing records problemā€. Brilliant!

Cointelegraphā€™s Martin Young captures Vitalik Buterinā€™s X account takeover which has been confirmed to be a classic sim swapping attack. ā€œOn Sept. 9, Buterinā€™s X account was taken over by scammers who posted a fake NFT giveaway prompting users to click a malicious link, which resulted in victims collectively losing over $691,000.ā€ Although Vitalik does not use SMS for MFA on X, if an account has a phone number configured, it can be used to recover or takeover an account.

If youā€™re unfamiliar with sim swapping, I strongly suggest digging into it. I say, in total confidence, that our cell phones are now the holy grail for hackers. Forget social security numbers and passwords - give me a copy of your sim card or your icloud account. This used to be something you only had to worry about if you were a celebrity, but the times are changing.

When I first started penetration testing, I couldnā€™t believe that man-in-the-middle attacks targeting NTLM to obtain password hashes for cracking or pass-the-hash techniques. Beginning in Windows 11 Insider Preview Build 25951 (Canary), an administrator can block Windows from offering NTLM via SMB. It will likely be years before the majority of enterprises are running an OS version with this control, but itā€™s good to see nonetheless.

Israel-based cybercrime intelligence company Hudson Rock shares their assessment of threat actor USDoDā€™s Airbus data leak. There are quite a few question marks in regards to the available details, but the one that stands out is ā€œThe victim likely attempted to download a pirated version of the Microsoft .NET framework, as indicated in the malware path.ā€

For those of you unfamiliar, the Microsoft .NET framework is free. Thereā€™s no reason to install a pirated version. That said, if you google specific .NET framework versions to install and especially one that is not available via Microsoft, you will quickly come across some malware. My guess is that the user did not intend to install the pirated .NET framework and that they fell victim to some sort of spam that installed the malware.

Software Supply Chain Security

A collection of tools that can help analyze open source projects. OSSGadget is currently in public preview and is not ready for production use as per Microsoft, however, the toolkit could really benefit software supply chain security. Mature organizations already have, or are beginning to include, policies and frameworks surrounding the usage of open source packages but the OSS tooling available to assess these packages is currently limited. Currently, if I had to choose any one solution, I would say OpenSSF Scorecard is the best open source solution out there.

CVE-2023-41267 is a doozy and has since been remediated, but letā€™s talk about it anyway. Ultimately, the documentation for Apache Airflow HDFS Provider, versions prior to 4.1.1, pointed users to an install incorrect pip package. Being as this pip package didnā€™t exist, an attacker could have easily created a malicious package and made it available to exploit this mistake. Fortunately this did not occur in this case and the project maintainers have since taken ownership of the incorrect package name.

When I first read this I thought, ā€œsurely this has been used as an attack vector beforeā€, but I actually couldnā€™t find any publicized incidents that were similar. That said, I absolutely see this becoming a commonly used attack vector. Malicious dependencies are scarily easy to host via package managers such as pip, but getting targeted victims to install them is often a challenge - which this would solve.

Bar Lanyado, previously a security researcher at Vulcan, discusses large language modelā€™s (LLMā€™s), i.e. ChatGPTā€™s, tendency to hallucinate packages. Iā€™ve actually experienced this numerous times and I would say this is definitely a serious risk as developers will inevitably become more reliant on tools like ChatGPT versus crowdsourced solutions such as Stack Overflow. This article was published back in June, but is somewhat relevant to CVE-2023-41267 mentioned previously.

Alex Ivanovs sheds some light on a fairly massive vulnerability (CVE-2023-4863), responsibly reported by the Apple Security Engineering and Architecture (SEAR) team in collaboration with The Citizen Lab at The University of Toronto's Munk School. The heap buffer overflow vulnerability affects any software that uses the libwebp library which includes all major browsers and has reportedly been exploited in the wild.

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! šŸ’Œ

If you think someone could benefit from this, donā€™t hesitate to forward.

See you next Monday!
-Kyle