[CramHacks] Newsletter #1

CramHacks Chronicles: Key Insights On Information Security & Software Supply Chain Risks

đŸ„ł Happy Monday! đŸ„ł 

Life Update

HI Kauai! See what I did there? (HI == Hawaii) - that was a good one.

It’s time for a vacation đŸ„â€â™‚ïž â˜€ïž but that doesn’t mean the world stops turning. I’m definitely excited to explore, surf, and relax; albeit it typically takes about a week for my technology withdrawals to subside. But, with the help of this newsletter, I’ve never been more motivated and I know this short break will produce some nice ROI in terms of productivity.

Information Security

Microsoft: Storm-0558 Key Acquisition
Microsoft Security Response Center (MSRC) released its investigation findings following the July 11, 2023 announcement detailing an attack by China-Based threat actor, Storm-0558. The attack consisted of using an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.

“Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Following this incident, CISA and Microsoft worked together to identify critical logging data to be included in Microsoft Purview Audit (Standard). As you might have experienced, it can be infuriating to try and assess whether your environment has been impacted by an incident caused by Microsoft, only to find out you don’t pay enough money to do so.

Google: North Korean campaign targeting security researchers
Google’s ClĂ©ment Lecigne and Maddie Stone share how government backed actors in North Korea are targeting security researchers, building rapport via social media, and then deliver a malicious file containing 0-day(s) targeting popular software.

Additionally, the malicious actors created a Windows trojan stated to "download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.” that actually enabled downloading and executing arbitrary code from an attacker-controlled domain.

Apple: NSO Group The BLASTPASS Exploit Chain (Pegasus)
“‘ALERT: State-sponsored attackers may be targeting your iPhone,’ it read. More spam, I thought.” -The Daily Mail’s Glen Owen

Citizen Lab announced the discovery of a zero-click, zero-day exploit used to deliver NSO Group’s Pegasus mercenary spyware; labeled BLASTPASS Exploit Chain. Apple’s latest security update offers some insight as to where these vulnerabilities(CVE-2023-41064 and CVE-2023-41061) reside.

MGM: Operations in shambles due to Cyber Attack
TechCrunch’s Carly Page discusses the (at the time of writing this) ongoing cyber attack that has halted much of MGM’s operations. All of MGM’s Grand Hotels & Casinos properties have been impacted by outages.

“According to reports on social media, the incident has led to outages impacting ATM cash dispensers and slot machines at MGM’s Las Vegas casinos, and forced hotel restaurants to accept cash-only payments. Guests also report that they cannot charge anything to their rooms and are unable to use their digital room keys.”

Software Supply Chain Security

CISA: Open Source Software Security Roadmap
“The roadmap lays out four key priorities to help secure the open source software ecosystem: (1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem. “

Overall, it’s about what I expected, and I’d be shocked if CISA isn’t taking this straight from healthcares playbook. The roadmap reminds me of preventive vs reactive healthcare, which we now know works! In the longterm, promoting good hygiene at home, such as washing your hands and getting your annual checkup, has serious benefits - who would’ve known. If we all washed our source code before we leave the bathroom, OSS will see similar benefits 😃.

Semgrep: Managing Transitive Supply Chain Risks
Whoop, my own article made the Newsletter đŸ„ł. This article discusses transitive dependencies, prioritizing risks based on reachability & exploitability, and why today’s issues aren’t going anywhere anytime soon.

Palo Alto: Unpinnable Actions - GitHub Actions Workflows
Palo Alto’s Yaron Avital will make you rethink whether you should be trusting your GitHub Actions. Yaron goes over methods malicious actors may use to embed malware in Docker container, composite, and JavaScript actions, regardless of whether or not the action is configured to require action pinning.

“Of approximately 6,000 workflows used in 2,000 projects, we discovered that 67% of the projects pinned unpinnable actions.”

Checkmarx: Malicious PyPI packages laced with WhiteSnake Malware
CheckMarx’s Yehuda Gelb, dissects Threat actor PYTA31’s distribution of malicious packages in the PyPI repository from April through mid-August.

The WhiteSnake Malware, otherwise known as “WhiteSnake Stealer”, exfiltrates sensitive data from target machines through Command and Control (C2) servers. The exfiltration consists of uploading bulk data via a file-sharing service, and sending a shared link to the data using a telegram channel to avoid detection.

Checkmarx: New Exploit - Renaming Operations Enables Repojacking
CheckMarx’s Elad Rapoport & Yehuda Gelb determine 4,000+ GitHub repositories are vulnerable to repojacking attacks due to a race condition within GitHub's repository creation and username renaming operations. CheckMarx responsibly disclosed the issue to GitHub who has subsequently fixed the issue.

“The steps to reproduce this exploit are as follows:

  1. Victim owns the namespace ‘victim_user/repo’

  2. Victim renames ‘victim_user’ to ‘renamed_user.’

  3. The ‘victim_user/repo’ repository is now retired.

  4. An attacker who owned the username ‘attacker_user’ prepares a command which practically simultaneously creates a repo called ‘repo’ and renames the username ‘attacker_user’ to the victims also username, ‘victim_user’. This is done using an API request for repository creation and a renamed request interception for the username change.”

NightOwl: Dark Mode to Really Dark Mode
Gizmodo’s Kyle Barr discusses how an application released in mid-2018, intended to enable dark mode for MacOS users, can result in some odd behaviors. NightOwl was sold earlier this year, and the new ownership opted to proxy network traffic to “solely collect users’ IP addresses”. Please just uninstall this thing. I wonder how many dormant apps are now malware.

Miscellaneous

The Beginner's Guide to Cybersecurity
Francis Odum shares a great overview of modern day cybersecurity and relevant vendors. I’d absolutely recommend this to anyone and everyone, but maybe keep in mind that a tool isn’t the answer to everything. One example are Enterprise Browsers - if you think your organization requires an Enterprise Browser, you probably shouldn’t be finding out via a Beginner’s Guide to Cybersecurity 😉.

Mozilla: Nissan & Kia collect data about sex life đŸ€” 
Mozilla’s Jen Caltrider, Misha Rykov, and ZoĂ« MacDonald share the highlights of their *Privacy Not Included research which resulted in all 25 car brands evaluated receiving the coveted “Warning: *privacy not included with this product” label.

Some that stood out to me:

  • 84% can share your personal data & 76% can sell it

  • Hyundai’s privacy policy states that they will comply with “lawful requests, whether formal or informal.”

  • Nissan’s includes collecting data on “sexual activity” & Kia’s includes collecting data on “sex life” - I have so many questions

  • Tesla’s states the following if you opt out of the data collection program “This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”

ATMs: Printing money with a Raspberry Pi
Three men in Lubbock, Texas, were arrested after using a Raspberry Pi to disable security controls and force ATMs to spit out đŸ’°ïžđŸ’°ïžđŸ’°ïž.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! 💌

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle