CramHacks Chronicles #29: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I hope you’re doing well!

This week, I learned that people sell their bandwidth. What’s even worse is that many people are unknowingly doing so.

Why does it matter? Well, say I’m at work and learn I could make a few bucks each week selling bandwidth, so I install this application. Congratulations—you’ve just sold a backdoor into a corporate network.

More to come on this! Users do not need to install applications on their systems to do this. For example, in 2015, the popular Chrome extension Hola was called out for selling users’ bandwidth to botnets. At the time, Hola had ~9 Million users 😯.

Table of Contents

• Application Security

• Artificial Intelligence

• Cloud Security

• Miscellaneous

• Software Supply Chain Security

• Until Next Time! 👋

Application Security

Secure by Design Alert Eliminating SQL Injection Vulnerabilities in Software
CISA and the FBI issued a joint alert to eliminate SQL injection vulnerabilities following the Cl0p ransomware gang’s exploitation of CVE-2023-34362 (MOVEit Vulnerability). The alert states that many have deemed SQL injection vulnerabilities to be ‘unforgivable’ since 2007, yet still prevalent and listed among the top 25 most dangerous software weaknesses in 2023.

Unpatchable vulnerability in Apple chip leaks secret encryption keys
Researchers have uncovered an unpatchable vulnerability in Apple’s M-series chips that enables the extraction of secret keys during cryptographic operations, due to a design flaw in the chips’ microarchitecture, necessitating software-level mitigations that may impair performance.

Artificial Intelligence

ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild
Oligo Security’s Avi Lumelsky, Guy Kaplan, and Gal Elbaz share details of the ongoing exploitation of a disputed vulnerability, CVE-2023-48022, in the Ray AI framework, leading to thousands of public Ray servers being compromised for at least 7 months.

Cloud Security

900 Sites, 125 million accounts, 1 vulnerability
Researchers Logykk, xyzeva/Eva, and MrBruh detail how they scanned the internet for misconfigured Firebase instances and obtained the following:

• All (records): 124,605,664

• Names: 84,221,169

• Emails: 106,266,766

• Phone Numbers: 33,559,863

• Passwords: 20,185,831

• Billing Info (Bank details, invoices, etc): 27,487,924

Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks!
Datadog Security Researchers Christophe Tafani-Dereeper & Frédéric Baguelin discuss securing Kubernetes clusters against real-world threats by proposing a prioritized security roadmap for containerized workloads, emphasizing the need for threat modeling and highlighting common attack vectors and mitigation strategies for both the control and data planes of managed Kubernetes distributions.

👋 My biggest takeaways based on my limited understanding of Kubernetes were, “The best Kubernetes is no Kubernetes” and if you do need it, managed Kubernetes services are the way to go - this reduces the odds of security misconfigurations in the control plane.

This was a guest post on tl;dr sec; if you’re not already subscribed to their newsletter, I strongly suggest you do so!

Miscellaneous

Mozilla’s first-ever Annual Consumer Creep-O-Meter
I’ve been impressed by Mozilla’s privacy efforts ever since they disclosed how Nissan & Kia collect data about the owner’s sex life.

The big takeaways from the annual review are:

• Products are getting more secure, but also a lot less private.

• An increasing number of products can’t be used offline.

• Privacy policies are getting ridiculous.

U.S. Accuses Two Men of Stealing Tesla Trade Secrets
A Canadian man who lives in China was arrested in New York, along with his business partner, after meeting with undercover agents on Long Island and trying to sell them technology used to produce Tesla battery parts.

👋 They were arrested on/in Long Island, NY - that’s where I’m from! Long Island has apparently gotten much more cool since I’ve left.

Long Island company admits it illegally sold Chinese-made equipment to U.S. military
Aventura and senior managers were charged in 2019 but just pled guilty to selling surveillance equipment to the U.S. military and labeling it as American-made.

public-pentesting-reports
A list of public penetration test reports published by several consulting firms and academic security groups.

Neuralink: Brain chip patient plays online chess with his thoughts
👋 This is the coolest thing I’ve seen in my life.

Software Supply Chain Security

Over 170K Users Affected by Attack Using Fake Python Infrastructure
Checkmarx Security Researcher Tal Folkman details the discovery of a malicious package being distributed via a fake Python mirror. The attacker hijacked GitHub accounts to make malicious commits that updated the requirements.txt file to download a trojan version of the “Colorama” package from “files[.]pypihosted[.]org” instead of the official Python mirror “files.pythonhosted.org.”

How to stay safe from repo-jacking
GitHub’s Kevin Backhouse explains “repo-jacking” and why it’s not something to worry about if you’re using a package manager like npm or PyPI. However, when pulling packages directly from GitHub, this attack vector has some nuanced opportunities, e.g., if you’re using GitHub Actions, the Go programming language, or git submodules.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle