Cybersecurity 🔐 And Much More Newsletter 📪  Vol. 4 Num. 3

Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 4 Num. 3

Hey there, 👋

I hope you have been doing well! 😊

📫 Welcome to my newsletter.

📰 In this newsletter:

  • ⌛️ This week’s Cybersecurity Rewind, and some zero days.
  • 🗞️ Latest Security News, not just talking about the Crowdstrike bug.
  • 💡 Security Tips and Tricks.
  • 📚 DevOps ☁️ Books to read.

Enjoy!

⌛️ Cybersecurity Rewind

Last week in Cybersecurity, several critical vulnerabilities and major data breaches were reported:

🐦⬛ CrowdStrike update crashes Windows systems, causes outages worldwide

A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems, impacting various organizations and services worldwide, including airports, TV stations, and hospitals. The glitch affects Windows workstations and servers, with users reporting massive outages that took entire companies and fleets of hundreds of thousands of computers offline. According to some reports, emergency services in the U.S. and Canada have also been impacted.

Workaround for CrowdStrike glitched update

For the past few days, users have been complaining about Windows hosts being stuck in a boot loop or showing the Blue Screen of Death (BSOD) after installing the latest update for CrowdStrike Falcon Sensor. The security vendor acknowledged the issue and published a technical alert explaining that its engineers “identified a content deployment related to this issue and reverted those changes.” “Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor,” CrowdStrike says in the tech alert.

The company revealed that the reason is a Channel File, which contains data for the sensor (e.g. instructions). Since it is just a component of the update for the sensor, this type of file can be addressed individually without removing the Falcon Sensor update.

For those already affected, CrowdStrike provides the following workaround steps:

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. Locate the file matching “C-00000291*.sys”, and delete it.
  4. Boot the host normally.

Microsoft Patches 👌Zero-Click Outlook 📧 Remote Code Execution Vulnerability

Morphisec discovered an unauthenticated, zero-click (for trusted senders) RCE vulnerability in Microsoft Outlook (CVE-2024-38021). It has warned that this vulnerability could lead to data breaches, unauthorized access, and other malicious activities if abused. A patch for the vulnerability was included in July's Patch Tuesday patches. The researchers will be presenting more technical details at DEFCON. Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a severe risk. Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous, as it allows for widespread exploitation.

🔆 Solarwinds has released patches for multiple 😱 Critical Vulnerabilities

SolarWinds has released fixes for eight critical security vulnerabilities (CVSS score of 9.6 out of 10.0) impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code. Successful exploitation of these vulnerabilities can allow an attacker to read and delete files and execute code with elevated privileges.

🦊 GitLab: Critical bug lets attackers run pipelines as other users

GitLab warned that a critical vulnerability in its product's GitLab Community and Enterprise editions allows attackers to run pipeline jobs as any other user. The GitLab DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies.

A patch was released for this vulnerability, also known as CVE-2024-6385, and it received a CVSS base score severity rating of 9.6 out of 10. It impacts all GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Under certain circumstances that GitLab has yet to disclose, attackers can exploit it to trigger a new pipeline as an arbitrary user.

The company released GitLab Community and Enterprise versions 17.1.2, 17.0.4, and 16.11.6 to address this critical security flaw and advised all admins to upgrade all installations immediately.

🌐 Critical Cisco bug lets hackers add root users on SEG devices

Cisco has fixed a critical vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments. Tracked as CVE-2024-20401, this security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the operating system.

"This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. A successful exploit could allow the attacker to replace any file on the underlying file system," Cisco explained. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

📰 Security Highlights

🎣 Fake CrowdStrike updates target companies with malware, data wipers

In a recent update, CrowdStrike says it “is actively assisting customers” impacted by the recent content update that crashed millions of Windows hosts worldwide.

The company advises customers to verify they communicate with legitimate representatives through official channels because “adversaries and bad actors will try to exploit events like this.”

“I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates” - George Kurtz, CrowdStrike CEO.

The U.K. National Cyber Security Center (NCSC) also warned that it observed an increase in phishing messages aiming to take advantage of the outage.

Automated malware analysis platform AnyRun noticed “an increase in attempts at impersonating CrowdStrike that can potentially lead to phishing.”

🪆Kaspersky is shutting down its business in the 🇺🇸 United States

Russian cybersecurity company and antivirus software provider Kaspersky Lab will start shutting down operations in the United States on July 20. In a statement to BleepingComputer, the company also confirmed that it will lay off its U.S.-based employees. Independent cybersecurity journalist Kim Zetter first reported that this will affect "fewer than 50 employees in the U.S."

This follows the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioning twelve Kaspersky Lab executives on June 21 for operating in Russia's technology sector, freezing their U.S. assets and preventing access to them until the sanctions are lifted. The Department of Commerce also designated AO Kaspersky Lab, OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) to its Entity List, preventing any U.S. business from working with them.

"Today's Final Determination and Entity Listing are the result of a lengthy and thorough investigation, which found that the company's continued operations in the United States presented a national security risk—due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations—that could not be addressed through mitigation measures short of a total prohibition," the Bureau of Industry & Security said.

🗓️ Email addresses of 15 million Trello users leaked on hacking forum

A threat actor has released over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January. Trello is an online project management tool owned by Atlassian. Businesses commonly use it to organize data and tasks into boards, cards, and lists.

While almost all of the data in these profiles is public information, each profile also contained a non-public email address associated with the account.

While Atlassian, the owner of Trello, did not confirm at the time how the data was stolen, emo told BleepingComputer it was collected using an unsecured REST API that allowed developers to query for public information about a profile based on users' Trello ID, username, or email address.

emo created a list of 500 million email addresses and fed it into the API to determine if they were linked to a Trello account. The list was then combined with the returned account information to create member profiles for over 15 million users. emo shared the entire list of 15,115,516 profiles on the Breached hacking forum for eight site credits (worth $2.32).

"Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account," emo explained in the forum post.

☎️ Massive AT&T data breach exposes call logs of 109 million customers

AT&T is warning of a massive data breach where threat actors stole the call logs for approximately 109 million customers, or nearly all of its mobile customers, from an online database on the company's Snowflake account.

The company confirmed to BleepingComputer that the data was stolen from the Snowflake account between April 14 and April 25, 2024.

In a Friday morning Form 8-K filling with the SEC, AT&T says that the stolen data contains the call and text records of nearly all AT&T mobile clients and customers of mobile virtual network operators (MVNOs) made from May 1 to October 31, 2022 and on January 2, 2023.

The stolen data includes:

Telephone numbers of AT&T wireline customers and customers of other carriers. Telephone numbers with which AT&T or MVNO wireless numbers interacted. Count of interactions (e.g., the number of calls or texts). Aggregate call duration for a day or month. For a subset of records, one or more cell site identification numbers.

🧨 Security tips and tricks (TnT)

Learn how to build a Security Analytics solution with Wiz and Snowflake, in just 20 minutes ⏱️

The tutorial on the Snowflake website explains how to integrate Wiz with Snowflake to perform security analytics. Here is a summary of the key steps and concepts covered:

Overview

The guide demonstrates how to upload Wiz data into Snowflake tables, enabling security teams to analyze historical data and perform security analytics. Wiz scans cloud workloads and generates issues and security findings, which are then sent to Snowflake tables via the Wiz-Snowflake integration.

Prerequisites

  • Download the provided SQL script.
  • Log into your Snowflake account and prepare the environment.

Steps

  1. Setting Up Roles and Users Switch to the SECURITYADMIN role. Create a role CLOUD_SECURITY_ANALYST_ROLE and grant it to the SYSADMIN role. Create a user CLOUD_SECURITY_ANALYST with the CLOUD_SECURITY_ANALYST_ROLE.
  2. Creating Database and Schema Switch to the SYSADMIN role. Create a database WIZDB and schema WIZSCHEMA. Grant necessary privileges to the CLOUD_SECURITY_ANALYST_ROLE.
  3. Creating and Configuring Warehouse Create a warehouse WIZ_LAB_WH with AUTO_SUSPEND and AUTO_RESUME properties. Grant usage privileges on the warehouse to the CLOUD_SECURITY_ANALYST_ROLE.
  4. Ingesting Wiz Data Set the context to CLOUD_SECURITY_ANALYST_ROLE, WIZ_LAB_WH, and WIZSCHEMA. Create tables for WIZISSUES, WIZVULNERABILITIES, and WIZ_HOST_CONFIGURATION_FINDINGS. Load data into these tables using the COPY command from predefined CSV files.
  5. Analyzing Data Run SQL queries to analyze the ingested data. Create views like ISSUES_LATEST and ISSUES_HISTORICAL to track issues over time. Visualize data trends using charts in the Snowflake UI. Perform detailed analysis on vulnerabilities and their resolution timelines.

The tutorial provides SQL commands and step-by-step instructions to facilitate the integration and analysis process, enabling users to leverage Snowflake for comprehensive security analytics with Wiz data.

🔬Periodic Table of Cloud Security, A Collection of Security 🛡️ Measures for defending cloud ☁️

The Wiz Periodic Table of Cloud Security is a comprehensive resource that categorizes various elements of cloud security into an easily navigable format, akin to the traditional periodic table of elements. This table is part of the broader "Cloud Threat Landscape" initiative by Wiz, which aims to provide insights into cloud security threats and defenses.

Key Components of the Periodic Table of Cloud Security

  1. Incidents: This section lists various security incidents that can occur in cloud environments, offering insights into the nature and impact of these incidents.
  2. Actors: This category identifies the different types of threat actors that target cloud environments, including their motivations and methods.
  3. Techniques: This part details the techniques used by threat actors to compromise cloud security, providing a breakdown of methods and strategies employed in attacks.
  4. Defenses: This section outlines the defensive measures and best practices that organizations can implement to protect their cloud environments from threats.
  5. Tools: Here, various tools and technologies are listed that can aid in securing cloud infrastructure and responding to incidents.
  6. Targeted Technologies: This category highlights the specific technologies and platforms that are commonly targeted by threat actors in cloud environments.

The table serves as a valuable reference for security professionals to understand the complex landscape of cloud security, identify potential threats, and implement effective defenses. It is designed to be a dynamic and evolving resource, reflecting the latest trends and developments in cloud security.

💭🔐 AWS Secrets Manager Announces Open Source Release of Secrets Manager Agent

AWS has released a language agnostic local HTTP service that can be installed in compute environments to read and cache secrets from Secrets Manager. TTL, cache size, maximum connections, and HTTP port can be configured in the agent. The agent also includes SSRF protections by default.

The AWS Secrets Manager Agent is a language agnostic local HTTP service that you can install and use in your compute environments to read secrets from Secrets Manager and cache them in memory. With this launch, you can now simplify and standardize the way you read secrets across compute environments without the need for custom code.

Secrets Manager Agent is an open source release that your applications can use to retrieve secrets from a local HTTP service instead of making a network call to Secrets Manager. With customizable configuration options such as time to live, cache size, maximum connections, and HTTP port, you can adapt the agent based on your application needs. The agent also offers built-in protection against Server Side Request Forgery (SSRF) to ensure security when calling the agent within your compute environment.

The Secrets Manager Agent open source code is available on GitHub and can be used in all AWS Regions where AWS Secrets Manager is available. To learn more about how to use Secrets Manager Agent, visit the AWS documentation.

📚 Book Corner

Top Books to Learn DevOps

These books provide a solid foundation for anyone looking to understand and implement DevOps practices.

  1. The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford A novel format that explains the principles of DevOps through a fictional story about an IT manager's journey to save his company's IT project.
  2. The DevOps Handbook by Gene Kim, Patrick Debois, John Willis, and Jez Humble A comprehensive guide that covers the principles, practices, and tools necessary to implement DevOps successfully.
  3. Accelerate: The Science of Lean Software and DevOps by Nicole Forsgren, Jez Humble, and Gene Kim A research-backed book that provides data and insights into the most effective DevOps practices.
  4. Site Reliability Engineering: How Google Runs Production Systems by Niall Richard Murphy, Betsy Beyer, Chris Jones, and Jennifer Petoff A detailed guide on how Google implements site reliability engineering (SRE) principles, which are closely aligned with DevOps.
  5. Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation by Jez Humble and David Farley A foundational book that explains how to achieve continuous integration and delivery, which are key components of DevOps.
  6. Infrastructure as Code by Kief Morris A practical guide to managing infrastructure using code and automation tools, which is a key practice in DevOps.
  7. Effective DevOps: Building a Culture of Collaboration, Affinity, and Tooling at Scale by Jennifer Davis and Katherine Daniels Focuses on the cultural and collaborative aspects of DevOps, offering strategies to foster a DevOps culture within an organization.

Quote of the Week

"Those who keep learning will keep rising in life." - Charlie Munger

Subscribe 🔥 to my newsletter for the latest updates on cybersecurity, tech insights, and growth mindset tips. Don't forget to leave a comment and share your thoughts with the community!

To view or add a comment, sign in

More articles by Seif H.

Insights from the community

Others also viewed

Explore topics