CramHacks Chronicles #81: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

This week I’m in NYC for a team offsite and productivity is through the roof. I freak’n love grinding in person with smart people.

Newsletter

Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
The Google Threat Intelligence Group details findings from tracking 75 zero-day vulnerabilities exploited in the wild throughout 2024.

Kali: In the coming day(s), apt update is going to fail for pretty much everyone
🤦 The Kali maintainers lost access to the signing key for its repository, so they’ve had to create a new one. Users will have to manually download and install the new key manually, or re-image their host with the updated Kali release.

A Look Into the Secrets of MCP: The New Secret Leak Source
GitGuardian Security Researcher Gaetan Ferry shines light on the risks of exposed secrets for MCP entities, and identified 202 of the 3,829 (5.2%) public MCP servers tested had leaked one or more secrets.

Everything Wrong with MCP
Shrivu Shankar discusses MCP protocol security, UI/UX limitations, and how MCP worsens LLM security, and LLM limitations.

👋 An MCP Server is intended to, but doesn’t necessarily have to be used by an LLM. I think a lot of people don’t realize that and aren’t necessarily applying the same security controls as they would a public-facing API 🙁. MCP Servers: The New Security Nightmare found 43% of tested implementations contained command injection flaws.

CNCF: Protecting NATS and the integrity of open source
NATS, a cloud and edge native messaging system, has been managed by the CNCF since 2018, after being donated by Synadia — who’ve made 97% of its server contributions. Recently, the CNCF publicly disclosed that Synadia has demanded that the nats[.]io domain and the nats-io GitHub organization be transferred back to Synadia, and that they plan to relicense the NATS server under the Business Source License (BUSL).

👋 There are still ongoing discussions: discussion thread, Synadia’s public response, Synadia’s letter from legal counsel.

CISA Warns Threat Hunting Staff to Stop Using Censys & VirusTotal
CISA Staff were notified to cease use of VirusTotal on April 20th, following its halted use of Censys in late March.

👋 I’m not following this super closely but if anyone is doing threat intelligence and malware research, I’d expect it’d be the government. News lately seems to be suggesting that’s no longer the case.

Crafting a Package Deletion Policy
OpenSSF’s Securing Software Repositories Working Group has released guidance for package registries adopting or revising a package deletion policy. The guidance suggests values to consider before deleting a given package: time, downloads, dependency status, and maintainer status

👋 So many edge cases 🫠. I’m glad to see this guidance, but I also just wish ecosystems could standardize. What I find most confusing is knowing which ecosystems support what.

Grafana: no customer impact from GitHub workflow vulnerability
On Saturday, a Grafana canary token was triggered alerting them of a potential incident. Upon investigation, they observed a malicious actor had exploited a vulnerable GitHub workflow in a public repository and exfiltrated secrets from environment variables.

👋 Red/Blue Teamers and malicious actors alike are enjoying Gato/GatoX capabilities.

XRP: Official NPM package infected with crypto stealing backdoor
The npm package xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 were compromised and found to be exfiltrating private keys to access crypto wallets.

👋 This feels like it happens weekly . . . Crypto has been a game changer for malicious actors; there’s interesting research to be done on amount of funds compromised and how threat actors have evolved, perhaps in large part due to the increased opportunity.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.