CramHacks Chronicles #45: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I hope you’re doing well! I may be quieter than usual this week since I’m on vacation, but so much is happening in the software supply chain security space. It is mindboggling how many trivial vulnerabilities are putting entire ecosystems at risk.

Despite being published in 2020, this three-part series on preventing pwn requests reveals how easy it is to identify and exploit vulnerabilities in GitHub Actions and workflows.

That said, I’m starting to do more offensive security research in my free time, focusing on open-source software vulnerabilities. I hope you find it interesting!

Table of Contents

• General News

• Malware / Exploits

• Open Source

• Until Next Time! 👋

General News

Cloudflare: Application Security Report - 2024 update
31.2% of all application traffic processed by Cloudflare is bot traffic. DDoS attacks remain the most common attack against web applications, but CVEs are not to be ignored. CVE-2024-27198 (JetBrains TeamCity authentication bypass) was exploited in the wild just 22 minutes after publishing the proof-of-concept code.

CISA broke into a US federal agency, and no one noticed for a full five months
CISA conducted a covert red team assessment on a federal civilian executive branch (FCEB) agency. They gained initial access through an unpatched vulnerability in Oracle Solaris, leading to domain compromise.

👋 CISA notified the agency of the vulnerability, but it took over two weeks for them to apply the patch. Additionally, there was no investigation to determine if the vulnerability was abused in their environment. 👎️

Squarespace Domain Hijacks Enabled by Email Address Exploit on Migrated Accounts
Google sold all Google Domains accounts to Squarespace in June 2023. The transition has been a mess thus far and enabled domain hijacking, which malicious actors abused to impact more than a dozen customers.

Malware / Exploits

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine
JFrog's Andrey Polkovnichenko, Brian Moussalli, and Shachar Menashe detail the discovery of a PyPi admin's GitHub personal access token (PAT) found in the binary of a public docker container.

👋 Interestingly, this secret wasn't exposed directly in the code base; instead, it was found in the .pyc file generated by the developer during testing.

RoguePuppet – A Critical Puppet Forge Supply Chain Vulnerability
In a detailed blog post, Adnan Khan highlights a critical supply chain vulnerability, dubbed "RoguePuppet," that affects Puppet Forge. Anyone with a GitHub Account could push updated Puppet Forge packages by abusing poorly configured GitHub Actions.

👋 This is essentially a complete compromise of Puppet. 🤦

Chaining Three Bugs to Access All Your ServiceNow Data
Assetnote’s Adam Kues discloses how they chained three vulnerabilities to obtain full database access and full access to any MID servers configured.

Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) (CVSS 9.9, CVSS 9.8) Walkthrough
Oligo Security has identified multiple critical vulnerabilities in PyTorch's TorchServe (ShellTorch), leading to potential Remote Code Execution (RCE).

👋 My AI/ML friends have essentially told me they don’t care about Pytorch vulnerabilities 🤔. To some extent, I get it, at least for internal projects.

Fake AWS Packages Ship Command and Control Malware In JPEG Files
The Phylum Research Team has uncovered two malicious packages in the npm registry that disguise malware within JPEG files.

Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages
The hacktivist group NullBulge claims to have breached Disney's internal Slack infrastructure, leaking 1.1 TiB of data from about 10,000 channels.

👋 NullBulge claims they got access to the data from a Disney insider and have since doxxed them in retaliation for cutting off communication and access.

Open Source

How to create a multi clusters secure supply chain (SLSA 3) in 10min (OSS edition)
Jean-Philippe Gouin demonstrates how to achieve this by leveraging tools like Kind, Argo Workflow, Argo Event, Kpack, vCluster, Syft, and Cosign. The code and more are available here.

Warn users that pip download can run arbitrary code
Automatic Execution of Code Upon Package Download on Python Package Manager
👋 This isn’t just a pip issue. Many people do not realize that ‘pip install,’ ‘npm install,’ ‘yarn install,’ etc., can, and often do, execute system commands specified by the package maintainers. This can download and execute malware or trigger malware residing in the package before it’s used in code.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.