CramHacks Chronicles #54: Weekly Cybersecurity Newsletter!

I’m on my way to San Francisco for the OWASP 2024 Global AppSec Conference! If you’re around, come hang out at the Semgrep booth or our co-hosted/sponsored events:

• Security Speakeasy (7 PM Wednesday, September 25th, 2024)

• PBC Connect (5:30 PM Thursday, September 26th, 2024)

TDIL: How to spell San Francisco and that the name Cisco was derived from the city name. 🤯 

Cryptography investigator ZachXBT traced $230M that was scammed. The video includes live audio and screen sharing (Zach mentions he has 1.5+ hours of footage), which has triggered haunting memories of my old RuneScape clan getting a big P.K.

Newsletter

Kaspersky Exits U.S., Automatically Replaces Software With UltraAV, Raising Concerns
👋 With plans to leave the U.S. market next month (due to being banned and labeled as a national security risk), Kaspersky has swapped out their endpoint installation with UltraAV via a software update. User data, such as billing information and subscriber account credentials, were also transferred to UltraAV (Nexway). 👎️ 🙅‍♂️ 

Fake recruiter coding tests target devs with malicious Python packages
ReversingLabs engineer Karlo Zanki details an attack vector that leverages malware embedded in a compiled Python file, AKA a PYC file. The attackers, reportedly linked to the North Korean hacking team Lazarus Group, pose as financial services firms recruiting developers, assigning candidates a task that involves running the malicious Python code.

CISA boss: Makers of insecure software are enablers of the real villains
Jen Easterly, the head of CISA, continues to preach that technology vendors should be held more accountable for poor-quality software. Jen argues that “software vulnerability” is too lenient of a term and that “product defect” is more accurate.

👋 I’m unsure how I feel about some of this; it seems harsh, but some vendors need this message 👀. However, I am sure that if anyone told me face-to-face that I should consider whether a vendor signed the Secure by Design Pledge before purchasing, I would laugh.

CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
As presented at Black Hat, Tenable Researcher Liv Matan details how the team leveraged a dependency confusion attack targeting GCP services that could have allowed a malicious attacker to run code on potentially millions of servers.

👋 Dependency confusion attacks are ridiculous. This blog from 2021 partly sparked my interest in software supply chain security, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies.

gaining access to anyone’s browser without them even visiting a website
“A developer and (un)professional pentester,” xyzeva details how she discovered a vulnerability with Arc’s usage of Firestore. The vulnerability, CVE-2024-45489, allowed members to abuse “Arc boosts” to execute arbitrary JavaScript on any website a user visited.

👋 It's not a great look for “The Browser Company,” but kudos for the prompt remediation. According to their incident report, no users were affected.

Feds Prioritize Open-Source Software Security Initiatives
A concise article on initiatives led by a White House working group to enhance the security of open-source software within U.S. government operations.

👋 “Our goal isn’t to control or regulate open-source software, but rather show up as a community member and contribute where we can with government’s resources.”
- CISA Senior Technical Advisor, Jack Cable

Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them
Google Software Engineer Erik Varga details some techniques for quickly identifying non-actionable findings in third-party security scanners, which happens far too often.

👋 While the blog focuses on OS software packages, my experience with software dependencies is much the same. For example, SemVer specifications suggest that appending -alpha , -beta , etc., to a version implies that it is earlier than the numerical specification. Therefore, when you patch a dependency vulnerability with a version 1.0.0-patched, SCA tools will assume that it is <= 1.0.0, and therefore vulnerable 🙃.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.