- CramHacks
- Posts
- CramHacks Chronicles #22: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #22: Weekly Cybersecurity Newsletter!
Deepfake video conference, Vision Pro kernel vulnerability, Ivanti under active exploit
Kyle Kelly
February 07, 2024
🥳 Happy Monday! 🥳
We’ve gained more than 50 new subscribers since last week's newsletter; thank you, everyone, for spreading the word!
I’m going to try this referral program again this week; please take advantage of it - I want to give back to y’all! If you’re receiving this via email, you should see a “Click to Share” button below. If you share CramHacks with one person and they subscribe, I’ll be emailing you a $5 Starbucks gift card 🤑💰️.
That’s almost an entire latte! 😉
Table of Contents
I was on the Application Security Podcast with Chris Romeo!
Shout out to Paul Novarese, Principal Solutions Engineer @ Anchore, for capturing the following highlights:
“* ‘Supply chain security’ is basically a meaningless term at this point because every vendor out there is trying to rub it onto their product even if it has just the most tangential applicability to what they have on the truck.
* SBOMs work best with containerized software (this really can't be overemphasized, nowadays I just assume that anyone who is an SBOM skeptic must have exclusively tried using them with legacy software projects).
* these types of security activities are way, way more effective when they're baked into your CICD pipelines.
* when evaluating your open source dependencies, there is a lot of metadata out there that you can use beyond just what vulnerabilities are matched. “
Application Security
Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns
👋 Why did it take 11 days for RedHunt Labs / TechCrunch to notify Mercedes-Benz???
Trail of Bits: 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more
For those of you using OSS Semgrep, let’s give a round of applause to Trail of Bits 👏 for continuing to create and share quality rules. The repo with all of their public Semgrep rules can be found here and can be used via CLI using the Semgrep registry: semgrep --config "p/trailofbits"
Google: A Framework for Fuzz Target Generation and Evaluation
Google has open-sourced oss-fuzz-gen, which offers LLM-powered fuzzing via OSS-Fuzz. This framework can be used to generate fuzz targets for C/C++ projects and benchmark them via the OSS-Fuzz platform.
👋 Perfect use case for LLMs, in my opinion.
Breaches
Deepfake video conference convinces employee to send $25M to scammers
In Hong Kong, scammers tricked a company employee into transferring $25.6 million after convincing him through a deepfake video conference that featured multiple digital imitations of his colleagues.
👋 the world is ending.
Cloudflare hacked using auth tokens stolen in Okta attack
Malicious actors accessed Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system in late November. The source of entry was a stolen authentication token and service account credentials, which were not rotated following the October Okta breach.
👋 Wouldn’t have happened if they kept their auth tokens written on the bottom of their mousepad instead of in Okta… Just saying.
AnyDesk Hacked: Revokes Passwords, Certificates in Response
👋 Honestly, I hadn’t heard of AnyDesk before this, but their software has apparently been downloaded more than 800 million times and offers remote control, file transfer, and VPN functionality.
Fulton County Suffers Power Outages as Cyberattack Continues
“As Fulton County in Georgia continues to experience a cyberattack and a power outage, government systems are offline, and it's unknown when they'll become operational again.”
Cloud
Sysdig Identifies a Cloud-Native Security Crossroads: Best Practices vs. Convenience and Speed
“Identity management has become the most overlooked cloud attack risk. Only 2% of granted permissions are being used, a reduction year-over-year.”
👋 Managing permissions is a pain. You don’t know you need something until you do, and that usually then requires submitting a ticket, waiting for a response, and then getting back to work… I think it’s understandable that users are given more privileges than required for this reason and others.
Miscellaneous
TeamViewer abused to breach networks in new ransomware attacks
👋 It’s nice to see TeamViewer continuing to do its duty after all of these years.
Ukraine appears to be attacking Russia's oil-and-gas industry with small, cheap drones that can bypass its air defenses
👋 Apparently, Russia’s air defenses are kaput when it comes to tiny, cheap drones. The article discusses a "bringing the detonator" strategy and mentions that low-cost drones with a minimal bomb load could wreak havoc if used against flammable targets.
Your Security Program Is Shit
“It is. And everyone knows it. I know it, you know it, your nonna who got her identity stolen and is now on the hook for $100k worth of Ethcoin or whatever the **** those things are called knows it, and your computer nerd with a little bit of charisma CISO knows it, too.”
👋 Maybe one of my favorite new blogs 🤣
Personal Security
FCC moves to criminalize most AI-generated robocalls
This proposal, if passed would outlaw AI-generated robocalls under the Telephone Consumer Protection ACT (TCPA).
👋 NBC News also notes in this article that New Hampshire residents recently received an AI-generated robocall, cloning President Joe Biden, telling them not to vote in the state’s primary election.
CISA warns of patched iPhone kernel bug now exploited in attacks
Software Supply Chain Security
The Bug Bounty Gold Mine: AI/ML third-party packages
A blog post written by me! Check out how the AI race has created a cesspool of third-party packages which has created a gold mine for bug bounty hunters.
Ivanti Connect Secure appliances under active exploitation
👋 Wow, a real-life supply chain attack that exploits a known vulnerability in a third-party package. What's interesting is that this has resulted in what some would consider to be a duplicate CVE.
"Given we can reach the SAML server with an unauthenticated HTTP request, and can provide arbitrary XML data for processing by the vulnerable xmltooling library used by saml-server, it seems likely that this is the SSRF vulnerability identified as CVE-2024-21893 and used to bypass the first mitigation from Ivanti."
But the SSRF vulnerability mentioned here already has CVE-2023-36661. Hence my blog post "Getting Infinite CVEs via Software Supply Chain Security"
But wait... There's a convenient CWE for this, "CWE-1395: Dependency on Vulnerable Third-Party Component," surely that was used? No. Fun fact, this CWE has never been assigned to a CVE.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle