Cybersecurity 🔐 And Much More Newsletter đŸ“Ș Vol. 4 Num. 5

Seif Hateb
11 min readSep 7, 2024

--

Hey there, 👋

I hope you have been doing well! 😊

đŸ“« Welcome to my newsletter.

📰 In this newsletter:

This week’s newsletter discusses several cybersecurity vulnerabilities, including SAML SSO risks, Linux kernel buffer overflow, Jenkins CLI path traversal, and Android kernel remote code execution. It highlights significant news such as the arrest of Telegram’s founder for content moderation issues and a cyber espionage campaign targeting organizations globally. Additionally, it covers supply chain vulnerabilities in MLOps, BlackByte ransomware tactics, and the importance of proactive incident management. The newsletter also features a book summary on software engineering practices at Google and provides security tips, including the use of “what3words” for OSINT.

Enjoy!

â˜ąïž Threats and Vulnerabilities (TnV)

CVE-2024–7965

Google Chromium V8 Inappropriate Implementation Vulnerability: Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Recommended action to reduce the risk related to this potential threats, it is crucial to apply any available security patches or updates from the vendor that address this vulnerability. If no updates are currently available, consider temporarily discontinuing the use of the affected product to prevent exploitation. Additionally, monitor vendor advisories for future updates and maintain a high security posture to mitigate risks.

CVE-2024–38856

Apache OFBiz Incorrect Authorization Vulnerability: Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

Recommended action is to follow the mitigation steps provided by the vendor to address this vulnerability. If there are no available mitigations, consider halting the use of the affected product to prevent potential exploitation. Stay informed on vendor updates for future solutions and actively monitor your systems for any signs of compromise.

GitHub addressing three Vulnerabilities in Enterprise Server (CVE-2024–7711, CVE-2024–6337)

“On GitHub Enterprise Server instances using SAML single sign-on (SSO) authentication with specific Identity Providers (IdPs) that expose signed federation metadata XML publicly, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” said GitHub in an advisory.

This vulnerability specifically targets instances where SAML SSO is configured with IdPs that may inadvertently expose signed federation metadata, creating an opportunity for attackers to craft a fraudulent SAML response. Such a response could potentially allow unauthorized access to high-level accounts, posing significant security risks.

GitHub strongly advises administrators to review their SAML configurations and ensure that federation metadata is securely handled, thereby mitigating the risk of unauthorized access and maintaining the integrity of their systems.

CVE-2022–0185

Linux Kernel Heap-Based Buffer Overflow: Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

To address this vulnerability, it is essential to follow the vendor’s instructions for applying necessary updates. These updates are crucial for maintaining system security and preventing potential exploits. If updates are unavailable at the moment, it is advisable to discontinue using the product temporarily to minimize risk exposure. Additionally, keep an eye on vendor communications for any forthcoming updates and maintain robust security practices to safeguard against threats.

CVE-2024–23897

Jenkins Command Line Interface (CLI) Path Traversal Vulnerability: Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2024–36971

Android Kernel Remote Code Execution Vulnerability: Android contains an unspecified vulnerability in the kernel that allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

🎭 News and Breaches (NnB)

Telegram Founder Arrested in France for Lack Content Moderation

Pavel Durov, founder and chief executive of the popular messaging app Telegram, was arrested in France on Saturday, according to French television network TF1.

Durov is believed to have been apprehended pursuant to a warrant issued in connection with a preliminary police investigation.

TF1 said the probe was focused on a lack of content moderation on the instant messaging service, which the authorities took issue with, turning the app into a haven for various kinds of criminal activity, including drug trafficking, child pornography, money laundering, and fraud.

The hands-off approach to moderation on Telegram has been a point of contention, fueling cybercrime and turning the platform into a hub for threat actors to organize their operations, distribute malware, and peddle stolen data and other illegal goods

Google Sheet targeted in Espionage Campaigns

Detected by Proofpoint on August 5, 2024, this activity involves posing as tax authorities from Europe, Asia, and the U.S., targeting over 70 organizations globally with a tool named Voldemort to collect data and deploy further payloads.

Industries targeted include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefits.

The cyber espionage campaign lacks attribution to a specific threat actor, with around 20,000 emails sent in these attacks.

20 Supply Chain Vulnerabilities in MLOps

MLOps platforms enable the design and execution of ML model pipelines, with a model registry serving as a repository for storing and versioning trained ML models. These models can be embedded within an application or accessed by other clients via an API, also known as model-as-a-service.

Cybersecurity researchers are raising alarms about the security risks in the machine learning (ML) software supply chain after discovering over 20 vulnerabilities that could be exploited to target MLOps platforms.

These vulnerabilities, characterized as both inherent and implementation-based flaws, could have serious consequences, ranging from arbitrary code execution to the loading of malicious datasets.

Cobalt Strike Payloads used against Chinese-Speaking Businesses in Cyberattack campaings

The campaign appears to specifically target victims within China, as evidenced by the file names and lures which are predominantly written in Chinese. Moreover, all of the command and control (C2) infrastructure used by the threat actors was hosted in China by Shenzhen Tencent Computer Systems Company Limited, a Chinese owned company. Taking a detailed look at telemetry data from the malicious samples indicate that the majority of the malware and files involved originated from within China, further reinforcing the likelihood that China is indeed the primary target of this attack.

Regarding the origin of the attack, Securonix Threat Research Team was unable to reach a definitive conclusion. Additionally, they could not precisely determine the attack vector, it appears to align with traditional phishing email tactics. In the case of SLOW#TEMPEST, it is likely that ZIP files (which were sometimes password-protected), were distributed via unsolicited emails.

VMware ESXi being exploited as part of BlackByte Ransomware Attacks

The BlackByte ransomware group continues to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor.

In recent investigations, Talos IR has also observed BlackByte using techniques that depart from their established tradecraft, such as exploiting CVE-2024–37085 an authentication bypass vulnerability in VMware ESXi — shortly after it was disclosed, and using a victim’s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk.

CISA is Warning about the Apache OFBiz Vulnerability đŸȘ¶

The addition of this third flaw, CVE-2024–32113, to the Known Exploited Vulnerabilities (KEV) catalog by CISA highlights the persistent threat landscape surrounding Apache OFBiz. This vulnerability has been notably exploited to deploy the Mirai botnet, a notorious malware variant known for its use in large-scale Distributed Denial of Service (DDoS) attacks. The Mirai botnet leverages vulnerable IoT devices to launch attacks, significantly increasing the risk and impact associated with this newly cataloged flaw. Organizations utilizing Apache OFBiz are strongly advised to review their systems for potential exposure and apply appropriate security patches to prevent exploitation.

🧹 Security Tips and Tricks (TnT)

Can “what3words” Simplify some of OSINT?

Open-source intelligence (OSINT) is a crucial aspect of modern cybersecurity and investigative operations. It involves collecting and analyzing publicly available information to gather valuable insights. One area where OSINT can be particularly challenging is extracting location data from images. This is where the a different kind of GPS app, “what3words,” comes into play.

Traditionally, finding the exact location depicted in a photo required cross-referencing visual cues with maps or metadata, which can be time-consuming and prone to errors. “what3words” simplifies this process by dividing the world into a grid of 3m x 3m squares, each identified by a unique combination of three words. This innovative approach allows users to pinpoint any location with precision.

For OSINT practitioners, “what3words” offers a streamlined method to identify and verify locations from images quickly. By inputting visual clues or any available metadata into the app, investigators can obtain a three-word address that corresponds to the exact spot in the photo. This can significantly enhance the efficiency and accuracy of location-based intelligence gathering.

Moreover, “what3words” addresses privacy concerns often associated with traditional GPS coordinates. The app’s three-word addresses are easy to share and remember, yet they do not reveal personal information or precise locations unless voluntarily disclosed.

In summary, “what3words” represents a powerful tool for OSINT professionals looking to extract geographical information from pictures. By providing a user-friendly and precise method for location identification, it simplifies the process and enhances the effectiveness of intelligence operations.

Proactive Incident Management: Achieving SLA and SLO Success with Tetragon in Kubernetes

Tetragon is an eBPF-based observability and security tool designed for Kubernetes environments, which enhances incident management and helps maintain compliance with Service Level Agreements (SLAs), Service Level Objectives (SLOs), and Service Level Indicators (SLIs).

Key Concepts

  • SLAs: Formal contracts defining expected service levels.
  • SLOs: Target values for service levels aimed at meeting SLAs.
  • SLIs: Metrics that quantify service levels.

Features of Tetragon

  1. Real-Time System Call Tracing: Monitors system calls to identify performance bottlenecks.
  2. Network Activity Monitoring: Tracks network interactions to detect delays.
  3. Event Correlation: Connects events across the system for a comprehensive overview.
  4. Policy Enforcement: Enforces security policies at the kernel level.

Use Cases

  1. Diagnosing High Latency: Tetragon helps identify the root cause of latency issues by monitoring system calls and network activity, allowing for quick corrective actions.
  2. Monitoring Security Policies: It enables the enforcement of security policies, blocking unauthorized system calls and generating alerts for violations.
  3. Incident Management During Deployments: Tetragon monitors system calls and network activity during deployments to quickly identify and resolve issues, ensuring SLO compliance.
  4. Ensuring SLA Compliance During High Traffic: Proactively monitors services during peak events to maintain performance and availability, preventing SLA breaches.

Conclusion

Tetragon is positioned as a vital tool for production engineers, offering deep observability and proactive management capabilities that enhance service reliability and security while ensuring compliance with critical service metrics.

How Datadog Security Inbox prioritizes security risks

Datadog’s Security Inbox automatically organizes security risks into an actionable list for remediation, cutting through the noise to help teams focus on the most pressing issues. It prioritizes findings based on three key factors: severity level, number of correlated risks, and number of impacted resources or services.

Severity Scoring Matrix

  • For application and infrastructure vulnerabilities, Security Inbox uses the CVSS 3.1 standard. For misconfigurations, identity risks, and attack paths, it uses the Datadog Security Scoring Framework.
  • The Severity Scoring matrix considers the likelihood of exploitation and the impact on the environment to assign a severity level of Critical, High, Medium, or Low.

Correlated Risks and Impact

  • Security Inbox takes correlated risks like production environment into account to more accurately assess a finding’s overall risk.
  • If two findings have the same severity level and correlated risks, the one affecting more resources is prioritized higher.

Conclusion

  • Security Inbox’s multi-tiered prioritization system enables teams to focus on the most critical security risks in their environment.

Build

Creating a Slack Chatbot

  • Create a Slack app and choose the features you want, such as Incoming Webhooks, Interactive Components, Slash Commands, and Bots
  • Use Incoming Webhooks to post messages from Tines to a specific channel
  • Use Slash Commands to allow users to interact with the bot and kick off automation stories
  • Create a Slack Credential in Tines to post messages using the bot

Slash Commands

  • Set up a webhook in Tines to receive slash commands
  • Create a new slash command in Slack with a description and usage hint
  • Extract the command details from the webhook and use them to trigger automation in Tines
  • Respond back to the user in Slack with the results

Rich Notifications

  • Use Slack’s “Blocks” to create rich, formatted notifications to send to users
  • Notifications can include prompts for users to take action

Proactive Notifications

  • Proactively send messages to users in Slack for various reasons like crowdsourcing suspicious activity, informing teams of incidents, confirming changes, etc.
  • Use the Slack API to look up a user’s channel ID by email address
  • Send messages directly to a user’s private channel

The search results provide a detailed walkthrough of how to create a Slack chatbot using Tines to automate various security and IT workflows, including sending notifications, interacting with users, and proactively alerting individuals.

Resource:

https://www.freecodecamp.org/news/how-to-build-a-basic-slackbot-a-beginners-guide-6b40507db5c5/

https://www.tines.com/blog/chatbots-for-security-and-it-teams/

https://www.tines.com/blog/chatbots-for-security-and-it-teams-part-2-microsoft-teams/

https://www.tines.com/blog/chatbots-for-security-and-it-teams-part-3-creating-a-slack-chatbot/

https://www.tines.com/blog/chatbots-for-security-and-it-teams-part-4-managing-response-via-slack/

📚 Smart Book Corner

Title: “Software Engineering at Google: Lessons Learned from Programming Over Time”

Authors: Titus Winters, Tom Manshreck, and Hyrum Wright

Summary: “Software Engineering at Google” offers insights into Google’s unique engineering practices and culture. The book discusses the key principles and methodologies that Google uses to manage large-scale software systems effectively. It covers topics such as code quality, testing strategies, and the importance of a collaborative environment. The authors share their experiences and lessons learned, providing valuable guidance for software engineers seeking to adopt similar practices in their own organizations.

1. Embrace a Blameless Culture: Establish an environment where learning from failures is prioritized over assigning blame to individuals.

  • This approach fosters transparency.
  • Encourages open dialogue.
  • Promotes continuous improvement throughout the organization.

2. Prioritize Code Reviews: Implement a robust system for regular peer reviews to maintain high standards of code quality.

  • Enhances collaboration among team members.
  • Helps in identifying and resolving potential issues early.
  • Prevents bugs from reaching production.

3. Automate Testing: Develop a comprehensive automated testing framework to identify and address issues as early as possible.

  • Minimizes technical debt by catching defects frequently.
  • Boosts overall efficiency.

4. Foster Innovation: Dedicate time and resources for engineers to brainstorm and experiment with new ideas and projects.

  • Leads to significant breakthroughs.
  • Drives the company’s innovation agenda forward.

5. Scale with Caution: Carefully assess the implications of scaling up systems and services.

  • Adopt incremental approaches to growth.
  • Manage risks effectively while ensuring system stability.

6. Encourage Knowledge Sharing: Build and maintain platforms that facilitate the exchange of insights and experiences among engineers.

  • Promotes a culture of knowledge sharing.
  • Enhances team collaboration.
  • Drives collective growth.

7. Balance Speed and Quality: Strive to deliver projects in a timely manner while upholding high standards of quality.

  • Ensures the reliability of deliverables.
  • Enhances customer satisfaction.
  • Reinforces trust in your products and services.

Conclusion: While adopting the strategies outlined in “Software Engineering at Google,” companies should also be cautious of certain practices that can hinder progress. Avoid prioritizing speed over quality, as this can lead to technical debt and customer dissatisfaction. Refrain from maintaining a blame-centric culture, which can stifle innovation and transparency. Lastly, do not neglect the importance of continuous learning and improvement, as stagnation can impede growth and competitiveness in the technology sector.

Quote of the Week

“Success is a journey, not a destination. The doing is often more important than the outcome.” — Arthur Ashe

Arthur Ashe was an American professional tennis player who won three Grand Slam titles. He was the first black player selected to the United States Davis Cup team and is the only black man to win the singles title at Wimbledon, the US Open, and the Australian Open. Beyond his achievements in tennis, Ashe was also known for his activism and advocacy for civil rights and HIV/AIDS awareness.

Subscribe đŸ”„ to my newsletter for the latest updates on cybersecurity, tech insights, and growth mindset tips. Don’t forget to leave a comment and share your thoughts with the community!

--

--

Seif Hateb
Seif Hateb

Written by Seif Hateb

Cybersecurity Professional, Lecturer, Cryptographer, Martial Artist.