CramHacks Chronicles #51: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Today’s newsletter is #51, and since we started with #0, it has officially been one full year of CramHacks! 🥳 🎉 

Some random exciting data about CramHacks:

• After four months, CramHacks reached 175 subscribers (thanks, mom & friends).

• In the last four months (May - Present), CramHacks has gained +1,000 subscribers.

• Most Popular Blog: Dirty Little Secrets of Vulnerability Management with almost 7,000 website views.

• ~40,000 emails have been sent, and ~50% are opened by the recipient.

Thank you, everyone, for supporting CramHacks! ❤️ 

Newsletter

Bug bounty programs take root in Russia — with possible far-reaching implications
In 2022, international sanctions against Russia caused bug bounty programs to stop paying out bounties to Russian and Belarusian hackers. What did people think would happen?

👋 I try to stay out of politics, but if you’re reading this newsletter, you likely know a thing or two about governments purchasing vulnerabilities & exploits.

Weaponized Vulnerabilities Deserve a Seat at The Prioritization Table
VulnCheck’s Patrick Garrity considers “Weaponized Vulnerabilities,” which, according to VulnCheck’s State of Exploitation Report, comprise only 2% of known vulnerabilities.

👋 The data seems to support what I would’ve guessed: the decline of Metasploit modules for more modern vulnerabilities. I was a penetration tester from 2020-2024 and never once used Metasploit on an engagement. However, I often read Metasploit modules for older vulnerabilities (back when Metasploit was hugely popular).

Google partners with Australia to strengthen cybersecurity for critical infrastructure
👋 I’m somewhat following how governments across the globe are handling software supply chain risks, and it’s great to see Google playing a part. From my (very) limited research, it seems the EU kicked things off with their 2020-2023 open-source strategy and the Cyber Resilience Act. Lately, I’m seeing a big push by the US, South Korea, and Australia. 🤷‍♂️ 

If anyone has recommended reading that digs deeper on this topic, I’d love to check it out!

TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024
Clint Gibler provides a roundup of every (>60) AI-related talk at BSidesLV, BlackHat, and DEF CON 2024, covering topics from AI-driven attacks to defending AI systems.

Vulnerabilities

Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
Studio is a tool to create custom AI assistants (chatbots) and was recently discovered by Evan Grant to be susceptible to Server-Side Request Forgery (SSRF) attacks. The exploit abuses the tool to create malicious HTTP requests, potentially exposing internal services and data. Microsoft Copilot Studio is also multi-tenant 👀.

GitHub Enterprise: CVE-2024-6800
A critical XML signature wrapping vulnerability in GitHub Enterprise Server (GHES) affected versions before 3.14, allowing attackers with network access to forge SAML responses and gain site administrator privileges without authentication. Following a GitHub Bug Bounty report, the issue was patched in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

Critical (Unauthenticated) Privilege Escalation in LiteSpeed Cache Plugin Affecting 5+ Million Sites
A vulnerability in the LiteSpeed Cache plugin for WordPress allows attackers to bypass authentication and gain admin access to millions of sites. The flaw, affecting versions before 5.4.2, can be exploited to modify site content, inject malicious code, and take over vulnerable WordPress installations.

👋 LiteSpeed is the most popular caching plugin for WordPress. So this was bad 😅. This was the largest bounty in WordPress history, but it was only $14,400; this seems more deserving, in my opinion.

Open Source

CVE Hunting Made Easy
Project Black’s Eddie Zhang details their approach to automating CVE hunting for WordPress plugins and how he discovered 14 CVEs in just three Sunday afternoons. The code used is available on GitHub here.

You're not mature enough to release your first version as v1
Jamie Tanna argues for adopting "V0" as a standard versioning convention for projects still in early development, highlighting that many standards default to V1 prematurely, leading to confusion and instability.

👋 I’m shocked that the semantic-release project does not allow a major version of Zero. I’m frankly a bit frustrated by this, given the semver specification suggests using it for development. And it just makes sense!

GuardDog 2.0: YARA scanning, user-supplied rules, and Golang support
GuardDog helps identify malicious packages in PyPi and NPM, and now, early support is available for Golang Modules. The project uses Semgrep for static analysis and now also supports Yara rules. The GitHub project can be found here.

Upcoming Events

OWASP Global AppSec US Conference
I look forward to being in San Francisco from September 25 to 27. Let me know if you’d like to meet up!

The Secure Open Source Software (SOSS) Fusion Conference
I’m unsure if I’ll be attending yet, but this will be an incredible conference for those interested in securing the open-source ecosystem. I’m hoping to make it happen. This is the first year for SOSS Fusion, so I expect it will be relatively intimate but with some seriously talented folks.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.