[CramHacks] Newsletter #0

CramHacks Chronicles: Key Insights on Information Security & Software Supply Chain Risks

🥳 Happy Monday! 🥳 

Today’s the day we start the CramHacks newsletter. Tomorrow’s the day that the world ends - hopefully not, but how cool would it be if I predicted it?

Life Update

I’m now back home in San Diego, CA after working with a client in Spokane, WA, and finally somewhat moved in to our condo! 🏡 Super pumped to start surfing more, running more, and just enjoying all San Diego has to offer.

Information Security

University of Wisconsin-Madison: Stealing Passwords with Browser Extensions
University of Wisconsin-Madison researchers uploaded a proof-of-concept extension to the Chrome Web Store to highlight a major risk of the Manifest V3 protocol. This extension exploits the protocol’s lack of security boundaries between the extension and a site's elements.

The researchers note that approximately 17,300 extensions in the Chrome Web Store have the permissions necessary to extract sensitive information from websites. Further analysis uncovered that 190 extensions directly access password fields and store values in a variable.

LastPass: Seeing the Effects of Past Breaches (Maybe)
KrebsonSecurity and industry experts share observed trends relating to ongoing cryptocurrency theft. The most obvious of which is the victim’s usage of LastPass to store seed phrases for their cryptocurrency wallet.

X (Twitter): Collecting Biometric Data
Coming into effect on September 29th, X’s updated privacy policy will go into effect for Premium Users, requiring users to consent to it collecting their biometric data. Alternatively, users will have the option to provide a government ID with a photo for identity matching.

Meta: Q2-2023 Adversarial Threat Report
One highlight of this report was Meta reportedly “Taking Down Two of the Largest Known Covert Influence Operations”; China’s Spamouflage operation and Russia’s Doppelganger campaign.

BlackBerry: Q2-2023 Global Threat Intelligence Report
This report covers 90 days of data recorded (March - May 2023). BlackBerry Cybersecurity solutions stopped over 1.5M attacks, labeled healthcare and financial services as the most targeted industries, and highlights the risk of digital & mobile banking services.

Okta: Super Administrators Targeted
Threat actors are attempting to social engineer US-based Okta customers’ IT service desk personnel in an attempt to reset all Multi-factor Authentication (MFA) factors for compromised privileged accounts.

Software Supply Chain Security

NIST: SP 800-204D ipd Available for Comment
NIST Special Publication (SP) 800-204D, Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines, is now available for public comment through October 13, 2023.

ReversingLabs: VMConnect Attack Continues
ReversingLab’s Karlo Zanki dissects the latest (3) discovered malicious PyPi packages attributed to the VMConnect software supply chain campaign; request-plus, requestpro, and tablediter. Signatures identified have led ReversingLabs to conclude the VMConnect campaign can be linked to the North Korean state-sponsored Lazarus Group.

Phylum: Crypto Developers Targeted By Malicious NPM Packages
The Phylum Security Research team detects and dissects an ongoing attack targeting crypto developers in an attempt to exfiltrate sensitive information such as developer source code and environment configurations

Moderne: Remediating Vulnerable Dependencies
Moderne’s Sam Snyder and Sharon Power discover 70% of vulnerable dependencies require minor or major version updates that either potentially or do break source code. The Moderne Platform leverages OpenRewrite recipes to automate these necessary code fixes.

Overlay: Browser Extension Helps Devs Select OSS Dependencies
The Open Source Supply Chain Attack Research group’s Overlay browser extension aids developers in assessing open source packages by consolidating data from sources like Snyk Advisor, Debricked, Socket.dev, and Deps.dev. It showcases this data on package pages of major registries, including npm, PyPI, and Go. Currently, Overlay supports the websites stackoverflow.com, npmjs.com, and pypi.org.

Until Next Time! đź‘‹ 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! đź’Ś

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle