• CramHacks
  • Posts
  • CramHacks Chronicles #32: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #32: Weekly Cybersecurity Newsletter!

CISA releases Next-Gen Malware Analysis, Sisense's Security Slip-Up, Debating SAST's Value, Secure Defaults!

šŸ„³ Happy Monday! šŸ„³

I hope you are doing well! Lately, Iā€™ve been getting loads of surfing, which has sparked some creativity in my research interests.

You can count on CramHacks to provide a weekly cybersecurity newsletter, but with some patience, you can also expect solid, longer-form content!

Table of Contents

Oh, Sisense, why oh why... ā€œOur customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.ā€

Sisense is 20+ years old but still seeing rapid growth. In 2020, Sisense raised $100M+ at more than a $1 Billion Valuation. This is an unfortunate event, but I hate to say Iā€™m not surprisedā€”many of you are likely just as susceptible.

According to ā€œtwo trusted sources,ā€ a malicious actor somehow gained access to Sisenseā€™s self-managed Gitlab platform with privileges to view a code repository containing a token or credential that gave access to Sisenseā€™s Amazon S3 buckets.

From there, the attackers exfiltrated terabytes of Sisense customer data, including millions of access tokens, email account passwords, and SSL certificates.

Having witnessed early results of the Semgrep Secrets product, it was evident that exposed secrets are a massive issue. But what are some challenges with managing exposed secrets?

  1. Noise: false positives - get a secret scanner that offers validators.

  2. Secrets need identifiers. The industry must move away from random (weak) secrets, which is a big reason for all the false positives! For example, GitHub personal access tokens start with ā€˜ghp_ā€™.

  3. Ensure developers know how/when secrets get exposed. Just because you merged a commit that removed a hardcoded secret doesnā€™t mean itā€™s safe!

Finally, the part I donā€™t necessarily have an answer for is that you need to know how and why that secret exists and who its owner is. Finding exposed secrets is one thing; rotating your secrets is another. A judgment call must often be made on whether or not to allow the secret to remain based on risks. What are the risks if that secret is compromised, vs. what are the risks of rotating it and breaking something?

Application Security

Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java 
Recently, there was a wave of SAST haters trying to disprove its value because a single research paper showed that in their sample of 165 Java projects with verified CVEs, the best SAST tool tested only found 12.7% of the vulnerabilities. Daniel Cuthbert does a great job analyzing the meaningful content this paper offers - thereā€™s lots!

šŸ‘‹ Itā€™s unfortunate to see how many people skimmed this paper, likely didnā€™t understand 90% of it, and then ran online to say SAST can only detect 10% of vulnerabilitiesā€¦. Firstly, the researchers only used basic configurations of open-source SAST tools. Secondly, matured projects are (hopefully) using SAST tools; therefore, all the vulnerabilities SAST can detect hopefully donā€™t exist in the first place!

Is SAST a silver bullet? No, of course not. But when I see a developer using a SAST IDE integration, they write a vulnerable line of code, which immediately gets highlighted, prompting them to remediate the issue before ever needing to build the projectā€¦ Itā€™s the most beautiful thing Iā€™ve ever seen.

tl;dr sec: awesome-secure-defaults
A GitHub repository with ā€œsecure by default librariesā€ aimed at eliminating common bug classes.

Twitterā€™s Clumsy Pivot to X.com Is a Gift to Phishers
Twitter/Xā€™s automatic replacement of ā€œtwitter.comā€ in links with ā€œx.comā€ led to the opportunistic registration of misleading domains, prompting defensive registrations to prevent phishing, but Twitter/X quickly corrected this.

Miscellaneous

OpenTofu: Our Response to Hashicorpā€™s Cease and Desist Letter
OpenTofu received a cease and desist from HashiCorp for alleged copyright infringement, which they dispute with evidence showing the code originates from MPL-2.0 licensed material. Development on OpenTofu 1.7 continues, with a new release expected soon.

CISA Releases Malware Next-Gen Analysis System for Public Use
CISA has launched Malware Next-Gen, a public threat hunting and malware analysis system previously used by US federal agencies, to automatically analyze malicious files and URLs, supporting broader cybersecurity efforts with automated tools and shared insights.

šŸ‘‹ Sadly, youā€™re required to register and authenticate via login.gov.

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
šŸ‘‹ This is a bad one. If youā€™re affected and learning about this from a weekly cybersecurity newsletter, you should be concerned šŸ¤£.

Software Supply Chain Security

Homebrew is now producing in-toto attestations
Shout out to Trail of Bits and all else involved in continuously improving the Homebrew ecosystem! Trail of Bitsā€™ Joe Sweeney presented these enhancements at SOSS Community Day earlier this week!

Whatā€™s in the SOSS - An OpenSSF Podcast
Omkhar Arasaratnam, General Manager of the Open Source Security Foundation (OpenSSF), is now hosting a podcast to discuss key components of secure open-source software.

Life as a maintainer after the xz utils backdoor hack
Ever wonder what itā€™s like putting out global fires as an open-source maintainer? Well, hereā€™s an hour of some of the best talking about their experiences and future fears.

Why I Signed: An Open Letter to Congress on the National Vulnerability Database
On April 12th, 2024, security researchers and practitioners published an open letter to the U.S. Congress and Secretary of Commerce urging action regarding NISTā€™s ability to maintain the National Vulnerability Database (NVD) effectively.

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle