- CramHacks
- Posts
- CramHacks Chronicles #31: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #31: Weekly Cybersecurity Newsletter!
Top 10 threats for 2030, End-of-life containers can mean 400+ CVEs per year, A review of zero-day in-the-wild exploits, and more!
🥳 Happy Monday! 🥳
I hope you’re having a good week thus far. This week is a short one! I’ve got a lot going on behind the scenes that I’m excited to share with you in the coming months.
Table of Contents
Supply Chain Compromise of Software Dependencies
Skill Shortage
Human Error and Exploited Legacy Systems Within Cyber-Physical Ecosystems
Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem [New in Top Ten]
Rise of Digital Surveillance Authoritarianism / Loss of Privacy
Cross-border ICT Service Providers as a Single Point of Failure
Advanced Disinformation / Influence Operations (IO) Campaigns
Rise of Advanced Hybrid Threats
Abuse of AI
Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure
Application Security
CVE-2024-24576 (CVSS 10): Rust Flaw Exposes Windows Systems to Command Injection Attacks
Rust versions prior to 1.77.2 are vulnerable when code or dependencies run batch files using untrusted arguments. Other operating systems are not affected.
Google & Mandiant: A review of zero-day in-the-wild exploits in 2023
Maddie Stone, Jared Semrau, & James Sadowski highlight advancements in exploit mitigation, a shift towards attacking third-party components, and an increase in enterprise-targeted zero-day exploits predominantly by commercial surveillance vendors.
đź‘‹ This summary does not do this report justice - Give it a read!
A review of zero-day in-the-wild exploits in 2023 (Google & Mandiant)
Artificial Intelligence
Meta Will Label AI-Generated Content Starting In May
Content creators will be mandated to disclose if their audio, video, and image content is AI-generated and will scrutinize uploads on Facebook, Instagram, or Threads for “industry standard AI image indicators.”
Miscellaneous
📺️ The Modern Security Podcast: How Github’s Chief Security Officer Blends Security & Engineering
Semgrep’s Clint Gibler & GitHub’s Mike Hanley discuss the importance of balancing engineering and security. I can’t imagine anyone better to discuss this topic, given Mike’s role as Chief Security Officer and SVP of Engineering 🤯.
đź‘‹ Listening to the full hour is definitely worth it, but key takeaways are also in the video description and thumbnails!
Statement from President Joe Biden on CHIPS and Science Act Preliminary Agreement with TSMC
With almost $11.6 billion in US Grants, the Taiwan Semiconductor Manufacturing Company (TSMC) plans to invest $65 billion in Arizona, where the chip factories will be built.
Google Public Sector achieves Top Secret and Secret cloud authorization
Google Distributed Cloud Hosted (GDC Hosted), now authorized for Top Secret and Secret missions, is an air-gapped cloud solution for U.S. intelligence and DoD agencies, featuring Zero Trust principles, SLSA framework-compliant application security, hardware vetted for vulnerabilities, CNSA 2.0 and FIPS 140-2/3 cryptography, and Mandiant-powered security operations.
Software Supply Chain Security
Chainguard: Why end-of-life software means 400+ CVEs per year
Principal Researcher Trevor Dunlap discusses the security risks of End of Life (EOL) container images. Leveraging endoflife.date, 38 EOL projects and their official Docker Hub images were identified. Vulnerabilities within these releases were then assessed using Grype, a tool designed to scan and identify vulnerabilities.
Accumulation of vulnerabilities (CVEs) broken down by where the vulnerability appears within the image based on time since EOL.
Manual review of all new snap name registrations
To combat malicious application uploads, Canonical’s Snap Store has introduced a new registration process requiring manual review, specifically scrutinizing crypto-wallet-related submissions. The post mentions that they aim to respond to submissions within two working days, with further policy updates to be announced.
Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance
Brandon Lum & Isaac Hepworth breakdown Google’s response to US White House Executive Order 14028 and how Google went from 0 to 100M SBOMs in 6 months.
👋 KubeCon had some seriously awesome talks this year! I’m slowly working through them, but I wanted to highlight this one quickly!
NVD Dashboard: Still Falling Behind
Patrick Garrity points out that NVD surpassed 10,000 CVEs received this year, but only 4,355 have been processed, and only 245 since March 1st.
đź‘‹ I see modified CVEs re-analyzed by NVD and can't help but think that 1,225 additional NEW CVEs could've been analyzed instead.
Given that NVD has received 0 Modified CVEs this year, that tells me CVEs need a life span. Let's maybe stop wasting resources analyzing CVEs for software that has been EOL for years.
Adopting the CWE standard for Microsoft CVEs
The Microsoft Security Response Center (MSRC) has transitioned to using the Common Weakness Enumeration (CWE) industry standard for publishing root cause data of Microsoft CVEs.
Until Next Time! đź‘‹
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! đź’Ś
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle