Scuba Gear from CISA, ROBLOX Malware Campaign, and RUST backdoo-rs
Hello, this week Jordan_Zebor is your editor looking at the notable security news for Scuba Gear from CISA, a ROBLOX Malware Campaign, & a Rust based meterpreter named Backdoo-rs. Scuba Gear from CISA ScubaGear is a CISA-developed tool designed to assess and verify whether a Microsoft 365 (M365) tenant’s configuration aligns with the Secure Cloud Business Applications (SCuBA) Security Configuration Baseline. This tool ensures that organizations are following CISA’s recommended security settings for cloud environments, helping to identify vulnerabilities or misconfigurations in their M365 setup. The value of running ScubaGear lies in its ability to enhance an organization’s cybersecurity posture, mitigate risks, and maintain compliance with security standards, which is crucial for protecting sensitive data in cloud-based systems. ScubaGear addresses the growing need for secure cloud deployments by automating the assessment process, making it easier for IT and security teams to identify gaps and take corrective actions. Regular assessments with this tool can help reduce the chances of data breaches, unauthorized access, and other security threats, thereby maintaining the integrity and confidentiality of business operations. Additionally, it supports organizations in staying ahead of compliance requirements by ensuring they meet the security baselines recommended by CISA. ROBLOX Malware Campaign Checkmarx recently discovered a year-long malware campaign targeting Roblox developers through malicious npm packages that mimic the popular “noblox.js” library. The attackers used tactics like brandjacking and typosquatting to create malicious packages that appeared legitimate, aiming to steal sensitive data like Discord tokens, deploy additional payloads, and maintain persistence on compromised systems. Despite efforts to remove these packages, new versions keep appearing on the npm registry, indicating an ongoing threat. RUST backdoo-rs The article "Learning Rust for Fun and backdoo-rs" describes the author's journey of learning Rust by developing a custom meterpreter. While Rust is designed to avoid common programming errors, ensuring software is secure from the outset, the choice of using it to create red teaming tools is also a great use case. A key aspectI covered recently is how Rust helps eliminate vulnerabilities like buffer overflows and use-after-free errors. These are traditionally common in C and C++, but Rust's ownership model prevents such risks by ensuring safe memory usage. In addition, Rust's growing adoption in the cybersecurity community, driven by companies like Google and Microsoft, emphasizes its role in secure software development, underscoring the "secure by design" principles that CISA advocates for. Projects like "backdoo-rs" demonstrate Rust’s potential for secure, reliable development in any context.137Views1like0Comments- 202Views2likes2Comments
GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack
Hello, this week Jordan_Zebor is your editor looking at the notable security news for a critical GitLab Vulnerability, the CISA Secure by Design Pledge & a near miss Supply Chain Attack. GitLab Pipeline Takeover Vulnerability GitLab has recently disclosed a critical vulnerability (CVE-2024-6385) affecting its CI/CD pipeline functionality in both Community Edition (CE) and Enterprise Edition (EE) versions 15.8 to 17.1.1. This vulnerability, with a CVSS score of 9.6, allows authenticated attackers to trigger pipelines as other users under certain conditions, potentially compromising the security and integrity of CI/CD processes. The low privilege requirements prevent this vulnerability from receiving a <insert sarcasm here> "perfect 10" score in CVSS. Either way, the issue still falls under the qualitative severity of critical, meaning security teams should be assessing their risk ASAP. The flaw was identified through GitLab’s HackerOne bug bounty program and has been addressed in the latest security updates. I've not seen reports of active exploitation so hopefully defenders get some time to patch this issue before proof of concept / exploit code is released. CISA Secure by Design Pledge The CISA 'Secure by Design' initiative, launched in April 2023, aims to enhance product security by encouraging vendors to adopt measures like multi-factor authentication, reducing default passwords, and improving vulnerability management. F5 has committed to this pledge, reflecting its dedication to advancing security in its products. F5 isn't starting from scratch, as we already adhere to many of the principles outlined in the CISA pledge. We have a strong track record in CVE vulnerability disclosure, ensure transparency and effective patching through Quarterly Security Notifications and our established vulnerability disclosure policy ensures the timely identification, assessment, and remediation of vulnerabilities, with clear communication channels for public disclosure. Additionally, iHealth enhances customers' ability to gather evidence of intrusions, helping organizations detect and respond to cybersecurity threats efficiently. Python Ecosystem Near Miss Supply Chain Attack JFrog's Security Research team discovered a critical security issue involving a leaked PyPI secret token within a public Docker container. PyPI (Python Package Index) is a repository for Python packages, widely used by developers to share and distribute code. The token, found 17 minutes after its commit, could have allowed attackers to inject malicious code into Python packages or insert malicious code into PyPI’s Warehouse code, potentially granting attackers backdoor access to manipulate popular packages. PyPI's security team promptly revoked the token, preventing potential damage and according to their transparentincident report, concluded that no malicious activity was detected. This near-miss underscores the severe risk of supply chain attacks if such credentials fall into malicious hands and highlights that scanning for secrets in source code is not enough; both source code and binary data need auditing, as critical data sometimes resides only in binary form.154Views2likes1Comment