CramHacks Chronicles #33: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Hey all, I hope you’re doing well! I surfed as much as I could Friday-Sunday and still feel the soreness 🤣🏄️.

CramHacks was originally intended to be a software supply chain security newsletter but quickly introduced other topics due to a lack of content. However, that has definitely changed in recent months!

How would you feel if CramHacks focused primarily on software supply chain security? Let me know in the poll below!

Table of Contents

• General News

• Malware / Exploits

• Open-Source Tooling

• Vulnerability Management

• Until Next Time! 👋

General News

Korea: Information sharing is the key to protecting against SW supply chain attacks
South Korea's government, in collaboration with various agencies, including the National Intelligence Service and KISA, has developed 'SW Supply Chain Security Guidelines' to improve SW quality, ensure supply chain transparency, and maintain competitiveness against international trade barriers.

👋 I’m going based on the translations, but it seems like AI is a big motivator for their heightened concerns regarding software supply chain security.

DataDog: State of DevSecOps
👋 I appreciate this report, but the results are incredibly misleading for the average reader. For example, the following quote is a load of bull.

“90 percent of Java services are vulnerable to one or more critical or high-severity vulnerabilities introduced by a third-party library, versus an average of 47 percent for other technologies.”

DataDog’s recently released SCA tool, which was used for this analysis, has exactly 0 features to determine exploitability. This should say… 90% of Java services use a third-party package with a known vulnerability. that does not mean the service is vulnerable. In most cases, very specific conditions must be met for the service to be vulnerable. This is why reachability analysis is so valuable.

Malware / Exploits

GitHub comments abused to push malware via Microsoft repo URLs
Threat actors are abusing a GitHub feature, allowing users to attach files in GitHub comments to distribute malware. This results in a legitimate-looking URL: https://www.github.com/{project_user}/{repo_name}/files/{file_id}/{file_name}

Fixing Typos and Breaching Microsoft’s Perimeter
Continuing to exploit GitHub's Runner Images, Adnan Khan and John Stawinski targeted Microsoft DeepSpeed, compromising a server and gaining Senior Developer privileges.

👋 Shockingly, no bounty was rewarded for this compromise. This is because DeepSpeed is not eligible for rewards, even though this impacted Microsoft’s Active Directory environment.

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
👋 It looks like we have some folks trying to copycat the xz/liblzma attack.

Open-Source Tooling

Poutine: A security scanner for repository build pipelines
BoostSecurity.io's poutine scans build pipelines for vulnerabilities in GitHub Actions and GitLab CI/CD.

👋 They’ve also shared Messy Poutine, a GitHub organization demonstrating purposely vulnerable build pipelines. This will come in handy.

owasp-dep-scan: blint v2 release
BLint is a Binary Linter that assesses security properties and capabilities in your executables. The latest version (v2) now also offers SBOM generation for binaries.

US Government and OpenSSF Partner on New SBOM Management Tool
The OpenSSF, CISA, and DHS S&T launched Protobom, a tool for creating and translating SBOMs across formats to enhance software supply chain security.

Vulnerability Management

SSVC: Stakeholder-Specific Vulnerability Categorization
A framework for prioritizing vulnerability management actions tailored to diverse stakeholder needs. It uses decision points, values, and outcomes to guide response policies.

Does EPSS actually predict future exploitation activity?
Cyentia Institute’s Jay Jacobs compares the coverage and efficiency of EPSS's ability to predict whether a vulnerability will be exploited in the next 30 days. The jump from v2 to v3 is 🔥.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle