- CramHacks
- Posts
- CramHacks Chronicles #24: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #24: Weekly Cybersecurity Newsletter!
LLMs are hackers and Ransomware groups under attack!
š„³ Happy Monday! š„³
Major thank you to the almost 100 people who attended last weekās OWASP Bay Area Meetup hosted by Semgrep and JIT.IO!
I had a blast telling everyone about my weird obsession with software supply chain security and, more specifically, managing third-party package vulnerabilities. Special thanks to those who chatted afterward; your insights are invaluable!
Iāll be giving a similar talk for the Cloud Security Alliance San Fransisco Chapter on February 29th! You can join @ 6 PM Pacific Time via the link here.
Table of Contents
Application Security
ConnectWise ScreenConnect <=23.9.7 CVSS 10.0
This remote code execution vulnerability can be used to compromise vulnerable ConnectWise ScreenConnect servers and likely pivot to endpoints. Those running vulnerable versions of ScreenConnect, whether self-hosted or on-premise, need to update their servers to version 23.9.8 immediately to apply the security patch.
š Security researchers, including Huntress, have successfully created exploits for this vulnerability.
Artificial Inteligence
Chat With RTX Brings Custom Chatbot to NVIDIA RTX AI PCs
NVIDIA has released a tech demo that allows users to personalize a chatbot with their own content. Chat with RTX is compatible with NVIDIA GeForce RTX 30 Series GPU or higher with at least 8 GB of VRAM.
š What I enjoy most about these AI advancements is the ease of use. You can be using chat with RTX in less than 30 minutes. If youāre interested in how to set things up, hereās a random tutorial I pulled from Google.
Sam Altman Seeks Trillions of Dollars to Reshape Business of Chips
Discussions are being had with investors, including those from the UAE, for an effort that may cost as much as $7 Trillion.
š We inevitably need to work out something better for chip manufacturing, but I have a hard time with the UAE from an ethics perspective. Maybe itās wrong of me; I would love to learn more about the country and culture.
LLM Agents can Autonomously Hack Websites
š While a neat idea, this paper was overhyped big time. They picked 50 old, non-static websites that they thought would have a vulnerability and found one benign XSS vulnerability. Meanwhile, the conclusion was āthis shows that GPT -4 is capable of autonomously finding vulnerabilities in real-world websites.ā
I wouldāve liked them to compare the results to other available tooling. Iād bet Burp Suite wouldāve detected it as well.
Breaches
KrebsOnSecurity: US Internet Leaked Years of Internal, Customer Emails
Krebs reports on Hold Securityās disclosure of US Internet Corp leaking over a decadeās worth of internal emails and emails for thousands of Securence customers. Emails were accessible via a public link to a US Internet Corp email server, with clickable links to access emails for more than 6,500 domain names.
Securence is a wholly owned subsidiary of US Internet Corp, a Minnesota-based internet service provider (ISP). It is āa leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational, and government institutions worldwide.ā š¤š¤š¤
š This is ridiculously pathetic. The companyās response suggests that there was an issue with an Ansible playbook, but god knows what else has a screw loose at this company. To make matters worse, comments suggest that Securence customers have not been notified.
I-S00N: Chinese spyware vendor data breach
A spyware vendor contracted by the Chinese government is in trouble, to say the least. Documents were leaked to GitHub via an unknown source and contained many concerning insights into their operations. Examples include custom Remote Access Tools (RATs) for Windows x86/x64, MacOS, older Linux distros, iOS, and Android. Perhaps more interestingly, at first glance, there seem to be relatively sophisticated hardware and software tools to target WiFi networks. Vx Underground is also hosting this leak here.
š Although not yet confirmed, Iām not all that surprised. The WiFi stuff interests me because network pentesting has been pretty stagnant these past few years. There are just not many organizations concerned with Chinese vendors shipping them power strips that hack their networks. Iām most excited to read some of these chat logs and gain insight into their operations.
Cloud Security
FedRAMP Vulnerability Scanning Requirements v3.0
Released on 2/15/24, the document has been updated to consolidate all required scanning requirements for cloud service providers (CSPs), third-party assessment organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP projects.
š I havenāt looked at FedRAMP in a good while; these are just three that I thought were noteworthy.
Authenticated scans with administrator access must be used where possible for moderate and high-systems
CSPs must scan operating systems, Web applications, and databases at least monthly
The CSP must only utilize containers where the image is āhardened.ā
š Hi Chainguard šš
Health Hacks
Bryan Johnson: My #1 Food For Anti-Aging
I wouldnāt have guessed this, but apparently, Bryan Johnsonās #1 food for anti-aging is extra virgin olive oil. Keep in mind that not all extra virgin olive oil is created equally.
For those who donāt know, Bryan Johnson is a successful and uber-wealthy entrepreneur (founder, chairman, and CEO of Braintree, which acquired Venmo and sold to PayPal) who is now trying to practice anti-aging. Itās incredible what money can buy.
š Iāve been following Bryan Johnson for a good while now, not that I follow anything he suggests. But Iām confident enough that heās the real deal, and despite my jealousy, Iām excited to see how things progress.
Neuralinkās first human patient able to control mouse through thinking
š This is freakān nuts. I canāt wait for my brain chip.
Miscellaneous
Reward (up to $15M) for Information: ALPHV/Blackcat Ransomware as a Service
The US Department of State is offering up to $10,000,000 for information that assists in identifying key leaders, or their location, in the group behind ALPV/Blackcat ransomware. Additionally, up to $5,000,000 is being offered for information leading to the arrest and conviction of any individual participating or attempting to participate in these ransomware activities.
Rippling: Engineering a SIEM Part 1: Why did we need to build our own SIEM?
Staff Security Engineer Piotr Szwajkowski shares Ripplingās priorities for a security information event management (SIEM) solution.
š Based on this blog post, Iād disagree with the decision to build the SIEM internally. That said, itās a nice wish list, and I hope to be proven wrong! Rippling undoubtedly has some serious talent. Iām looking forward to part 2 of this series.
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates
US and UK authorities have seized the darknet websites operated by LockBit. LockBit is a ransomware group that has claimed over 2,000 victims worldwide and extorted over $120 million. LockBitās webpage, historically used for shaming compromised victims, now offers free recovery tools and includes news about arrests and criminal charges related to LockBit affiliates.
Software Supply Chain Security
LegitSecurity: Azure DevOps Zero-Click CI/CD Vulnerability
LegitSecurity Researcher Nadav Noy discloses a zero-click vulnerability CVE-2023-36561 that allows an attacker to access secrets and perform actions with elevated permissions.
To be vulnerable, the following three conditions must be met:
Public GitHub repository that runs Azure pipelines on pull-request
Use default Azure pipeline fork configurations to trigger pipeline run
The project is using Pipeline-Triggers
š While a fix was released in October 2023, I wanted to share this as Iām becoming very interested in vulnerabilities relating to CI/CD. There seems to be a lot, which is fun.
NIST: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
A 32-page document that maps objectives from the Secure Software Development Framework (SSDF) with CI/CD pipeline security controls. Specifically in the context of software supply chain security in the development and deployment of cloud-native applications.
š Appendix A is what youāre looking for. Table 2. Mapping of recommended CI/CD pipeline security tasks to SSDF practices
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! š
Donāt hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle