CramHacks Chronicles #42: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I hope you are having a great week thus far. It’s very busy over here, between working on projects, podcast recordings, blog posts, prepping for conference talks, and life.

But it’s all great stuff, and I have no complaints! I really wish I had time to do more 😅.

Table of Contents

• General News

• Malware / Exploits

• Open Source

• Vulnerability Management

• Until Next Time! 👋

General News

Semgrep Custom Rules Level 1
Check out the latest free course, an introductory on how Semgrep customers can enforce secure guardrails and coding standards or find bugs across codebases. This lesson, and many others, is hosted at Semgrep Academy.

CVE Program: monetizing CNA status as a business plan
The May 2024 CVE Board Meeting Notes suggest that the newest CVE Numbering Authority, HeroDevs, has inquired about monetization. No further details were shared, but there’s a note to schedule further discussion.

👋 Any thoughts on what monetizing CNA status would entail? The next meeting is scheduled for the day this newsletter is released (June 26th, 2024)

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models
When provided with specific tools, Google Project Zero's "Project Naptime" shows that large language models (LLMs) achieve significantly better results on the Meta vulnerability dataset. The framework used is shown below:

👋 “It's the opinion of the Project Zero team that substantial progress is still needed before these tools can have a meaningful impact on the daily work of security researchers.”

Malware / Exploits

Reputation Farming Using Closed Github Issues / PRs
Maintainers on OpenSSF’s Slack report suspicious activity in GitHub repositories, including commenting on or approving closed issues and PRs to boost reputation illegitimately. Recommendations include monitoring repository activity, locking old issues/PRs, and using GitHub actions for automatic inactivity locks.

👋 This activity was alerted via OpenSSF’s Siren list! Sign up (free) to get activity like this sent directly to your inbox.

Polyfill.io JavaScript supply chain attack impacts over 100K sites
The popular Polyfill JS project is being misused to infect over 100,000 websites that have integrated the package via the cdn.polyfill.io domain. Stay vigilant and scan your projects using this Semgrep rule.

👋 As CDNs for software packages decline in popularity, expect to see more incidents like this.

Technical Analysis of Apple Internal Source Code Leak
Andrew Henke, Founder of AHCTS, details the leak exposing internal plugins and configurations for Apple’s Confluence and Jira instances, including integration with AppleConnect and a custom Confluence UI theme for Apple's HMTS division. Credentials were found to be hardcoded within configuration files but are unusable due to the requirement for internal network access.

👋 The article suggests that Apple’s Atlassian Solution Partner (Cprime) is suspicious. They mention intelligence suggesting other vendors with Cprime as a partner have also recently been breached.

Open Source 

web-check: All-in-one OSINT tool for analyzing any website
Web-Check provides insights into IP info, SSL chain, DNS records, cookies, headers, domain info, server architecture, and more. Super fast!

Trusted Publishers for All Package Repositories
Seth Larsen has drafted this document for the OpenSSF Securing Software Repositories WG. Ultimately, the goal is to get buy-in and offer guidance on implementing Trusted Publishers.

👋 I hope more ecosystems get on board. Check out GitHub’s instructions on Enabling OpenID Connect for Python package publishing.

Vulnerability Management

Beyond the CVE: Analyzing the Depth of GitHub Security Advisories
The latest CramHacks blog post! Fun fact: ChatGPT generated all the code used to capture the data mentioned throughout the post. I want you to ask yourself, “How do you feel about there being <20,000 security advisories for ~60,000,000 total packages?”

Evaluating dependence on NVD
Ben Edwards’ analysis highlights the reduced capacity of the NVD and its impact on timely vulnerability reporting. He emphasizes the need for alternative sources like MITRE and CISA, and discusses CISA's new "vulnrichment" program as part of evolving solutions for comprehensive vulnerability data.

Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations
Wiz Research discovered the Remote Code Execution vulnerability in Ollama, one of the most popular open-source projects for running AI Models. The vulnerability, caused by insufficient input validation, allows attackers to exploit path traversal to overwrite files and execute code.

👋 Yet another critical but trivial vulnerability. If you haven’t already, check out the CramHacks blog post, The Bug Bounty Gold Mine: AI/ML third-party packages!

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.