• CramHacks
  • Posts
  • CramHacks Chronicles #24: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #24: Weekly Cybersecurity Newsletter!

LLMs are hackers and Ransomware groups under attack!

Author

Kyle Kelly
February 21, 2024

šŸ„³ Happy Monday! šŸ„³

Major thank you to the almost 100 people who attended last weekā€™s OWASP Bay Area Meetup hosted by Semgrep and JIT.IO!

I had a blast telling everyone about my weird obsession with software supply chain security and, more specifically, managing third-party package vulnerabilities. Special thanks to those who chatted afterward; your insights are invaluable!

Iā€™ll be giving a similar talk for the Cloud Security Alliance San Fransisco Chapter on February 29th! You can join @ 6 PM Pacific Time via the link here.

Table of Contents

Application Security

ConnectWise ScreenConnect <=23.9.7 CVSS 10.0
This remote code execution vulnerability can be used to compromise vulnerable ConnectWise ScreenConnect servers and likely pivot to endpoints. Those running vulnerable versions of ScreenConnect, whether self-hosted or on-premise, need to update their servers to version 23.9.8 immediately to apply the security patch.

šŸ‘‹ Security researchers, including Huntress, have successfully created exploits for this vulnerability.

Artificial Inteligence

Chat With RTX Brings Custom Chatbot to NVIDIA RTX AI PCs
NVIDIA has released a tech demo that allows users to personalize a chatbot with their own content. Chat with RTX is compatible with NVIDIA GeForce RTX 30 Series GPU or higher with at least 8 GB of VRAM.

šŸ‘‹ What I enjoy most about these AI advancements is the ease of use. You can be using chat with RTX in less than 30 minutes. If youā€™re interested in how to set things up, hereā€™s a random tutorial I pulled from Google.

Sam Altman Seeks Trillions of Dollars to Reshape Business of Chips
Discussions are being had with investors, including those from the UAE, for an effort that may cost as much as $7 Trillion.

šŸ‘‹ We inevitably need to work out something better for chip manufacturing, but I have a hard time with the UAE from an ethics perspective. Maybe itā€™s wrong of me; I would love to learn more about the country and culture.

LLM Agents can Autonomously Hack Websites
šŸ‘‹ While a neat idea, this paper was overhyped big time. They picked 50 old, non-static websites that they thought would have a vulnerability and found one benign XSS vulnerability. Meanwhile, the conclusion was ā€œthis shows that GPT -4 is capable of autonomously finding vulnerabilities in real-world websites.ā€

I wouldā€™ve liked them to compare the results to other available tooling. Iā€™d bet Burp Suite wouldā€™ve detected it as well.

Breaches

KrebsOnSecurity: US Internet Leaked Years of Internal, Customer Emails
Krebs reports on Hold Securityā€™s disclosure of US Internet Corp leaking over a decadeā€™s worth of internal emails and emails for thousands of Securence customers. Emails were accessible via a public link to a US Internet Corp email server, with clickable links to access emails for more than 6,500 domain names.

Securence is a wholly owned subsidiary of US Internet Corp, a Minnesota-based internet service provider (ISP). It is ā€œa leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational, and government institutions worldwide.ā€ šŸ¤”šŸ¤”šŸ¤” 

šŸ‘‹ This is ridiculously pathetic. The companyā€™s response suggests that there was an issue with an Ansible playbook, but god knows what else has a screw loose at this company. To make matters worse, comments suggest that Securence customers have not been notified.

I-S00N: Chinese spyware vendor data breach
A spyware vendor contracted by the Chinese government is in trouble, to say the least. Documents were leaked to GitHub via an unknown source and contained many concerning insights into their operations. Examples include custom Remote Access Tools (RATs) for Windows x86/x64, MacOS, older Linux distros, iOS, and Android. Perhaps more interestingly, at first glance, there seem to be relatively sophisticated hardware and software tools to target WiFi networks. Vx Underground is also hosting this leak here.

šŸ‘‹ Although not yet confirmed, Iā€™m not all that surprised. The WiFi stuff interests me because network pentesting has been pretty stagnant these past few years. There are just not many organizations concerned with Chinese vendors shipping them power strips that hack their networks. Iā€™m most excited to read some of these chat logs and gain insight into their operations.

Cloud Security

FedRAMP Vulnerability Scanning Requirements v3.0
Released on 2/15/24, the document has been updated to consolidate all required scanning requirements for cloud service providers (CSPs), third-party assessment organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP projects.

šŸ‘‹ I havenā€™t looked at FedRAMP in a good while; these are just three that I thought were noteworthy.

  • Authenticated scans with administrator access must be used where possible for moderate and high-systems

  • CSPs must scan operating systems, Web applications, and databases at least monthly

  • The CSP must only utilize containers where the image is ā€œhardened.ā€
    šŸ‘‹ Hi Chainguard šŸš€šŸ“ˆ

Health Hacks

Bryan Johnson: My #1 Food For Anti-Aging
I wouldnā€™t have guessed this, but apparently, Bryan Johnsonā€™s #1 food for anti-aging is extra virgin olive oil. Keep in mind that not all extra virgin olive oil is created equally.

For those who donā€™t know, Bryan Johnson is a successful and uber-wealthy entrepreneur (founder, chairman, and CEO of Braintree, which acquired Venmo and sold to PayPal) who is now trying to practice anti-aging. Itā€™s incredible what money can buy.

šŸ‘‹ Iā€™ve been following Bryan Johnson for a good while now, not that I follow anything he suggests. But Iā€™m confident enough that heā€™s the real deal, and despite my jealousy, Iā€™m excited to see how things progress.

Neuralinkā€™s first human patient able to control mouse through thinking
šŸ‘‹ This is freakā€™n nuts. I canā€™t wait for my brain chip.

Miscellaneous

Reward (up to $15M) for Information: ALPHV/Blackcat Ransomware as a Service
The US Department of State is offering up to $10,000,000 for information that assists in identifying key leaders, or their location, in the group behind ALPV/Blackcat ransomware. Additionally, up to $5,000,000 is being offered for information leading to the arrest and conviction of any individual participating or attempting to participate in these ransomware activities.

Rippling: Engineering a SIEM Part 1: Why did we need to build our own SIEM?
Staff Security Engineer Piotr Szwajkowski shares Ripplingā€™s priorities for a security information event management (SIEM) solution.

šŸ‘‹ Based on this blog post, Iā€™d disagree with the decision to build the SIEM internally. That said, itā€™s a nice wish list, and I hope to be proven wrong! Rippling undoubtedly has some serious talent. Iā€™m looking forward to part 2 of this series.

Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates
US and UK authorities have seized the darknet websites operated by LockBit. LockBit is a ransomware group that has claimed over 2,000 victims worldwide and extorted over $120 million. LockBitā€™s webpage, historically used for shaming compromised victims, now offers free recovery tools and includes news about arrests and criminal charges related to LockBit affiliates.

Software Supply Chain Security

LegitSecurity: Azure DevOps Zero-Click CI/CD Vulnerability
LegitSecurity Researcher Nadav Noy discloses a zero-click vulnerability CVE-2023-36561 that allows an attacker to access secrets and perform actions with elevated permissions.

To be vulnerable, the following three conditions must be met:

  1. Public GitHub repository that runs Azure pipelines on pull-request

  2. Use default Azure pipeline fork configurations to trigger pipeline run

  3. The project is using Pipeline-Triggers

šŸ‘‹ While a fix was released in October 2023, I wanted to share this as Iā€™m becoming very interested in vulnerabilities relating to CI/CD. There seems to be a lot, which is fun.

NIST: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
A 32-page document that maps objectives from the Secure Software Development Framework (SSDF) with CI/CD pipeline security controls. Specifically in the context of software supply chain security in the development and deployment of cloud-native applications.

šŸ‘‹ Appendix A is what youā€™re looking for. Table 2. Mapping of recommended CI/CD pipeline security tasks to SSDF practices

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle