CramHacks Chronicles #40: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Secret Scanning has always been a worthy investment, especially because there are free solutions if you’re willing to deal with some noise. But sheesh, in the last week alone, I’ve lost count of how many incidents were caused by exposed secrets or credentials.

There are many great solutions, but Semgrep Scanner is, of course, what I have the most experience with.

I’m wondering if I may need to make a career change and get into serving virtual meatballs. IKEA Will Pay People £13.15 an Hour to Serve Meatballs at Its Virtual Roblox Store

Table of Contents

• General News

• Malware / Exploits

• Open Source

• Vulnerability Management

• Until Next Time! 👋

General News

Best Practices and Innovations in Software Supply Chain Security
On August 22, 2024, Semgrep’s Layla Arabian will be hosting a panel (which I’m excited to be a part of) with Ali Diamond, Nicole Schwartz, Kayla Underkoffler, and Andrew King!

GitHub CSS / XSS Injection Vulnerability
@kennethnym dives into the Mathjax CSS injection attack, discovered and disclosed by @cloud11665 on X over the weekend. User @vmfunc publicly announced that XSS was possible but did not disclose a PoC.

👋 This was not a responsible disclosure, but no one was hurt (that I know of), and it was pretty funny to see all the GitHub profiles abusing this vulnerability. Definitely reminded me of the Myspace days.

Malware / Exploits

Gitloker attacks abuse GitHub notifications to push malicious OAuth apps
A malicious actor with the telegram handle ‘GitLoker’ is wiping GitHub repositories and demanding a ransom for their return. Targets are receiving phishing emails with fake job offers or security alerts, redirecting them to a malicious webpage where they’re prompted to authenticate with GitHub and authorize a new OAuth App.

👋 This was brought to the public’s attention by Germán Fernández on June 6th but is now believed to have been ongoing since at least February 2024.

CVE-2024-4577: Proof of Concept Available for PHP-CGI Argument Injection Vulnerability
All PHP versions have been found vulnerable to remote code execution (RCE) due to errors in character encoding conversions via the Windows “Best Fit” feature. You are affected if you’re running PHP with CGI mode enabled or if you’ve exposed the PHP binary in a web-accessible directory (this is the default for XAMPP, a popular PHP development environment).

👋 This only affects Windows hosts, but I’ll never pass up an opportunity to hate on PHP 😉. Realistically, if you run user-facing applications that are vulnerable to this, you likely have bigger problems. XAMPP is unsuitable for production servers, exposing the PHP binary is weird, and CGI mode has a big red banner saying it’s dangerous.

New York Times source code stolen using exposed GitHub token
An anonymous user shared a torrent on 4chan, sharing a 273GB archive. In total, there are over 5,000 repositories and 3.6M files. The breach was caused by exposed GitHub credentials that were reportedly compromised in January 2024.

Open Source

awesome-cicd-attacks
Asi Greenholts, a Security Researcher at Palo Alto Networks, has compiled over 50 practical resources for offensive CI/CD security research.

👋 If you’re an active reader, you’re likely aware that CI/CD attacks are rising. There’s a ton of opportunity here to make a massive impact; the space has loads of glaring security issues.

Secrets from the Algorithm: Google Search’s Internal Engineering Documentation Has Leaked
Internal documentation for Google Search’s Content Warehouse API was accidentally leaked. Fortunately, the code in the exposed GitHub repository was published under the Apache 2.0 license. Therefore, it’s free to use, modify, and distribute. Here’s a copy.

👋 I don’t understand 99% of this stuff. I’m not an SEO expert. But clearly, folks are frustrated. The tl;dr is that the leaked information suggests that Google has lied to them about how the Google Search ranking system works.

Vulnerability Management

Dirty Little Secrets of Vulnerability Management
👋 Check out the latest CramHacks blog post! We detail how the National Vulnerability Database (NVD) differs from the CVE Program, why the Exploit Prediction Scoring System (EPSS) does not help determine exploitability, and the known limitations of CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Malicious Extensions: Shocking Statistics from the VS Code Marketplace
@amitassaraf, @ity_krk, and @IDardikman passionately want to spread the word about malicious VS Code extensions. In part 2 of a 6-part blog series, they share stats on the 10,000+ suspicious extensions in the VS Code Marketplace. For example, as per Google's OSV Scanner, 1,283 extensions, with over 229 million downloads, were found to use known malicious software packages.

👋 I think history will continue to repeat itself forever. Nearly every extension store is full of malware these days. It’s incredibly simple to create a malicious browser extension, VS Code extension, or software dependency; it’s really no surprise. Also, check out Part 3 of this series - A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.