• CramHacks
  • Posts
  • CramHacks Chronicles #49: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #49: Weekly Cybersecurity Newsletter!

Hacker Summer Camp, 390 Vulnerabilities added to KEV, using AI to upgrade npm packages, GitHub Workflow Vulnerabilities, Open-Source Software Security

Author

Kyle Kelly
August 14, 2024

šŸ„³ Happy Monday! šŸ„³

This week, Iā€™m feeling grateful. Hacker Summer Camp (Vegas) last week was incredibly fun and inspiring. This was my third year attending, but it was easily the best yetā€”all thanks to the people.

Some highlights:

  • The Semgrep (co-hosted with Impart Security and Pangea) LevelUp Party was incredible, with over 300 attendees, games, and live music!

  • OpenSSFā€™s Happy Hour gathered some of the worldā€™s brightest minds committed to securing the open-source ecosystem.

  • BlackHat Software Supply Chain Vendors! Despite Semgrep being a direct competitor with many vendors, I had incredibly productive discussions with Co-founders, directors, and researchers working on software supply chain products.

My favorite talking point was, ā€œAt what stage do you produce an SBOM? CI, build-time, run-time? from a binary?ā€ This question will surely get folks thinking, which is funny, given how much the world has invested in SBOM awareness.

Josh Bressers provided the most logical answer (IMO). We ideally want an SBOM at every step in the build process. We should then understand which materials were added/removed/changed at each step and why. The problemā€¦ Far too many workflows start with ā€œsudo apt updateā€ causing an SBOM produced today to differ from the SBOM produced tomorrow.

If youā€™re a software consumer, you likely want an SBOM in production run-time.

Newsletter

State of Exploitation - A Peek into 1H-2024 Vulnerability Exploitation
Patrick Garrity details the 390 vulnerabilities added to VulnCheckā€™s Known Exploited Vulnerabilities (KEV) Catalog during the first half of 2024. This differs from CISAā€™s KEV Catalog, which has added 73.

The top five affected categories include Network Edge Devices, Content Management Systems (CMS), Open Source Software, Server Software, and Operating Systems.

Trail of Bitsā€™ Buttercup heads to DARPAā€™s AIxCC
Buttercup is a Cyber Reasoning System (CRS) developed by ToB and combines conventional cybersecurity techniques like fuzzing and static analysis with AI and machine learning to find and fix software vulnerabilities.

Congratulations to ToB for placing in the top seven out of forty-two teams in the DEF CON semifinals! Trail of Bits Advances to AIxCC Finals

bumpgen is an AI agent that upgrades npm packages
Developed by Xeol, bumpgen uses abstract syntax trees and AI to upgrade dependencies and makes code changes for you if anything breaks.

Mitigating Attack Vectors in GitHub Workflows
Googleā€™s Joyce Brum details common attack vectors targeting GitHub workflows operating on GitHub-hosted runners.

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts
Palo Altoā€™s Yaron Avital details an attack vector that enabled him to compromise open-source projects owned by Red Hat, Google, AWS, Canonical (Ubuntu), Microsoft, OWASP, and others.

The vector abuses the GitHub Action artifacts generated during CI/CD workflows. As proven, these artifacts can leak secrets. Yaron also shared this vector at BSides LV; great talk!

Gato-X: GitHub Attack Toolkit - Extreme Edition
The duo Adnan Khan and John Stawinski gave an incredible talk at Hacker Summer Camp. Their talk included a demo of Gato-X, an automated enumeration and exploitation tool for targeting repositories and organizations. Currently, it supports Automated Self-Hosted Runner Attacks and Enumeration for GitHub Actions Injection and Pwn Requests.

ā€˜Sinkcloseā€™ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections
Nearly all AMD chips dating back to 2006 are reportedly susceptible to a vulnerability named ā€˜Sinkclose.ā€™ This vulnerability enables a malicious actor with kernel-level access to install a bootkit. Realistically, this would be paired with a kernel-level exploit, allowing undetected persistence.

Summary of the 2023 Request for Information on Open-Source Software Security
The 2023 RFI received 107 public responses; to no surprise, more than 80 were submitted by ā€œSecure Open-Source Software Foundations.ā€ Submissions advocated for memory-safe language expansion, financing new projects, exploring AI, improved vulnerability disclosures, and funded open-source software security education.

Until Next Time! šŸ‘‹

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content šŸ˜ƒ.