Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 4 Num. 5
Hey there, 👋
I hope you have been doing well! 😊
📫 Welcome to my newsletter.
📰 In this newsletter:
This week’s newsletter discusses several cybersecurity vulnerabilities, including SAML SSO risks, Linux kernel buffer overflow, Jenkins CLI path traversal, and Android kernel remote code execution. It highlights significant news such as the arrest of Telegram's founder for content moderation issues and a cyber espionage campaign targeting organizations globally. Additionally, it covers supply chain vulnerabilities in MLOps, BlackByte ransomware tactics, and the importance of proactive incident management. The newsletter also features a book summary on software engineering practices at Google and provides security tips, including the use of "what3words" for OSINT.
Enjoy!
☢️ Threats and Vulnerabilities (TnV)
Google Chromium V8 Inappropriate Implementation Vulnerability: Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Recommended action to reduce the risk related to this potential threats, it is crucial to apply any available security patches or updates from the vendor that address this vulnerability. If no updates are currently available, consider temporarily discontinuing the use of the affected product to prevent exploitation. Additionally, monitor vendor advisories for future updates and maintain a high security posture to mitigate risks.
Apache OFBiz Incorrect Authorization Vulnerability: Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.
Recommended action is to follow the mitigation steps provided by the vendor to address this vulnerability. If there are no available mitigations, consider halting the use of the affected product to prevent potential exploitation. Stay informed on vendor updates for future solutions and actively monitor your systems for any signs of compromise.
"On GitHub Enterprise Server instances using SAML single sign-on (SSO) authentication with specific Identity Providers (IdPs) that expose signed federation metadata XML publicly, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges," said GitHub in an advisory.
This vulnerability specifically targets instances where SAML SSO is configured with IdPs that may inadvertently expose signed federation metadata, creating an opportunity for attackers to craft a fraudulent SAML response. Such a response could potentially allow unauthorized access to high-level accounts, posing significant security risks.
GitHub strongly advises administrators to review their SAML configurations and ensure that federation metadata is securely handled, thereby mitigating the risk of unauthorized access and maintaining the integrity of their systems.
Linux Kernel Heap-Based Buffer Overflow: Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.
To address this vulnerability, it is essential to follow the vendor's instructions for applying necessary updates. These updates are crucial for maintaining system security and preventing potential exploits. If updates are unavailable at the moment, it is advisable to discontinue using the product temporarily to minimize risk exposure. Additionally, keep an eye on vendor communications for any forthcoming updates and maintain robust security practices to safeguard against threats.
Jenkins Command Line Interface (CLI) Path Traversal Vulnerability: Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.
Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Android Kernel Remote Code Execution Vulnerability: Android contains an unspecified vulnerability in the kernel that allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.
Known To Be Used in Ransomware Campaigns? Unknown
Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
🎭 News and Breaches (NnB)
Pavel Durov, founder and chief executive of the popular messaging app Telegram, was arrested in France on Saturday, according to French television network TF1.
Durov is believed to have been apprehended pursuant to a warrant issued in connection with a preliminary police investigation.
TF1 said the probe was focused on a lack of content moderation on the instant messaging service, which the authorities took issue with, turning the app into a haven for various kinds of criminal activity, including drug trafficking, child pornography, money laundering, and fraud.
The hands-off approach to moderation on Telegram has been a point of contention, fueling cybercrime and turning the platform into a hub for threat actors to organize their operations, distribute malware, and peddle stolen data and other illegal goods
Detected by Proofpoint on August 5, 2024, this activity involves posing as tax authorities from Europe, Asia, and the U.S., targeting over 70 organizations globally with a tool named Voldemort to collect data and deploy further payloads.
Industries targeted include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefits.
The cyber espionage campaign lacks attribution to a specific threat actor, with around 20,000 emails sent in these attacks.
MLOps platforms enable the design and execution of ML model pipelines, with a model registry serving as a repository for storing and versioning trained ML models. These models can be embedded within an application or accessed by other clients via an API, also known as model-as-a-service.
Cybersecurity researchers are raising alarms about the security risks in the machine learning (ML) software supply chain after discovering over 20 vulnerabilities that could be exploited to target MLOps platforms.
These vulnerabilities, characterized as both inherent and implementation-based flaws, could have serious consequences, ranging from arbitrary code execution to the loading of malicious datasets.
The campaign appears to specifically target victims within China, as evidenced by the file names and lures which are predominantly written in Chinese. Moreover, all of the command and control (C2) infrastructure used by the threat actors was hosted in China by Shenzhen Tencent Computer Systems Company Limited, a Chinese owned company. Taking a detailed look at telemetry data from the malicious samples indicate that the majority of the malware and files involved originated from within China, further reinforcing the likelihood that China is indeed the primary target of this attack.
Regarding the origin of the attack, Securonix Threat Research Team was unable to reach a definitive conclusion. Additionally, they could not precisely determine the attack vector, it appears to align with traditional phishing email tactics. In the case of SLOW#TEMPEST, it is likely that ZIP files (which were sometimes password-protected), were distributed via unsolicited emails.
The BlackByte ransomware group continues to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor.
In recent investigations, Talos IR has also observed BlackByte using techniques that depart from their established tradecraft, such as exploiting CVE-2024-37085 an authentication bypass vulnerability in VMware ESXi – shortly after it was disclosed, and using a victim’s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk.
The addition of this third flaw, CVE-2024-32113, to the Known Exploited Vulnerabilities (KEV) catalog by CISA highlights the persistent threat landscape surrounding Apache OFBiz. This vulnerability has been notably exploited to deploy the Mirai botnet, a notorious malware variant known for its use in large-scale Distributed Denial of Service (DDoS) attacks. The Mirai botnet leverages vulnerable IoT devices to launch attacks, significantly increasing the risk and impact associated with this newly cataloged flaw. Organizations utilizing Apache OFBiz are strongly advised to review their systems for potential exposure and apply appropriate security patches to prevent exploitation.
🧨 Security Tips and Tricks (TnT)
Open-source intelligence (OSINT) is a crucial aspect of modern cybersecurity and investigative operations. It involves collecting and analyzing publicly available information to gather valuable insights. One area where OSINT can be particularly challenging is extracting location data from images. This is where the a different kind of GPS app, "what3words," comes into play.
Traditionally, finding the exact location depicted in a photo required cross-referencing visual cues with maps or metadata, which can be time-consuming and prone to errors. "what3words" simplifies this process by dividing the world into a grid of 3m x 3m squares, each identified by a unique combination of three words. This innovative approach allows users to pinpoint any location with precision.
For OSINT practitioners, "what3words" offers a streamlined method to identify and verify locations from images quickly. By inputting visual clues or any available metadata into the app, investigators can obtain a three-word address that corresponds to the exact spot in the photo. This can significantly enhance the efficiency and accuracy of location-based intelligence gathering.
Moreover, "what3words" addresses privacy concerns often associated with traditional GPS coordinates. The app's three-word addresses are easy to share and remember, yet they do not reveal personal information or precise locations unless voluntarily disclosed.
In summary, "what3words" represents a powerful tool for OSINT professionals looking to extract geographical information from pictures. By providing a user-friendly and precise method for location identification, it simplifies the process and enhances the effectiveness of intelligence operations.
Recommended by LinkedIn
Tetragon is an eBPF-based observability and security tool designed for Kubernetes environments, which enhances incident management and helps maintain compliance with Service Level Agreements (SLAs), Service Level Objectives (SLOs), and Service Level Indicators (SLIs).
Key Concepts
Features of Tetragon
Use Cases
Conclusion
Tetragon is positioned as a vital tool for production engineers, offering deep observability and proactive management capabilities that enhance service reliability and security while ensuring compliance with critical service metrics.
Datadog's Security Inbox automatically organizes security risks into an actionable list for remediation, cutting through the noise to help teams focus on the most pressing issues. It prioritizes findings based on three key factors: severity level, number of correlated risks, and number of impacted resources or services.
Severity Scoring Matrix
Correlated Risks and Impact
Conclusion
Build
Creating a Slack Chatbot
Slash Commands
Rich Notifications
Proactive Notifications
The search results provide a detailed walkthrough of how to create a Slack chatbot using Tines to automate various security and IT workflows, including sending notifications, interacting with users, and proactively alerting individuals.
Resource:
📚 Smart Book Corner
Title: "Software Engineering at Google: Lessons Learned from Programming Over Time"
Authors: Titus Winters, Tom Manshreck, and Hyrum Wright
Summary: "Software Engineering at Google" offers insights into Google's unique engineering practices and culture. The book discusses the key principles and methodologies that Google uses to manage large-scale software systems effectively. It covers topics such as code quality, testing strategies, and the importance of a collaborative environment. The authors share their experiences and lessons learned, providing valuable guidance for software engineers seeking to adopt similar practices in their own organizations.
1. Embrace a Blameless Culture: Establish an environment where learning from failures is prioritized over assigning blame to individuals.
2. Prioritize Code Reviews: Implement a robust system for regular peer reviews to maintain high standards of code quality.
3. Automate Testing: Develop a comprehensive automated testing framework to identify and address issues as early as possible.
4. Foster Innovation: Dedicate time and resources for engineers to brainstorm and experiment with new ideas and projects.
5. Scale with Caution: Carefully assess the implications of scaling up systems and services.
6. Encourage Knowledge Sharing: Build and maintain platforms that facilitate the exchange of insights and experiences among engineers.
7. Balance Speed and Quality: Strive to deliver projects in a timely manner while upholding high standards of quality.
Conclusion: While adopting the strategies outlined in "Software Engineering at Google," companies should also be cautious of certain practices that can hinder progress. Avoid prioritizing speed over quality, as this can lead to technical debt and customer dissatisfaction. Refrain from maintaining a blame-centric culture, which can stifle innovation and transparency. Lastly, do not neglect the importance of continuous learning and improvement, as stagnation can impede growth and competitiveness in the technology sector.
Quote of the Week
"Success is a journey, not a destination. The doing is often more important than the outcome." — Arthur Ashe
Arthur Ashe was an American professional tennis player who won three Grand Slam titles. He was the first black player selected to the United States Davis Cup team and is the only black man to win the singles title at Wimbledon, the US Open, and the Australian Open. Beyond his achievements in tennis, Ashe was also known for his activism and advocacy for civil rights and HIV/AIDS awareness.
Subscribe 🔥 to my newsletter for the latest updates on cybersecurity, tech insights, and growth mindset tips. Don't forget to leave a comment and share your thoughts with the community!