• tl;dr sec
  • Posts
  • [tl;dr sec] #231 - XZ Utils Backdoor Scanner, CISA's Enriched CVEs, SOC 2 Compliant CI/CD

[tl;dr sec] #231 - XZ Utils Backdoor Scanner, CISA's Enriched CVEs, SOC 2 Compliant CI/CD

Understanding & detecting the XZ Utils backdoor, CISA's repo of enriched CVEs, an example SOC 2 compliant GitHub CI/CD pipeline

Hey there,

I hope you’ve been doing well!

🥷 RSA Marketing

Though I did not attend the battlefield RSA vendor hall this year, I heard some tales from friends like Zack Allen.

Of course, there was t-shirts, socks, and other common swag galore, but I wanted to give a brief shout-out to the more interesting things.

First up: the guy on a balance board balancing on a cylinder while in a straitjacket. The security metaphor is clear, don’t need to explain this one.

A “get jacked, not hacked” bootcamp with a celebrity Peloton instructor. Alicia Keys sang and there was a robot making cocktails.

But my favorites are: a choreographed dance by what appear to be professional dancers dressed as ninjas, and KEANU REEVES repping a new cybersecurity product.

You might ask, “What do any of these have to do with cybersecurity or the effectiveness of the products?” To that I say:

“Let he who hath the marketing budget to hire Keanu but the restraint not to cast the first stone.”

-Gandhi

#tldrsecMarketingGoals

New guest post by my friend Rami McCarthy in which he breaks down Gene Kim and Steve Spear’s new book, and maps it to security. Check it out for examples of:

  • Slowification in incident response

  • Simplification across a real security engineering project

  • Amplification and how we should all be declaring more incidents

The overview diagram is really cool, I like it 👌 

Sponsor

📣 The Ultimate Guide for Evaluating Cloud Security Solutions

Gartner predicts that by 2026, 80% of enterprises will have consolidated security tooling for the life cycle protection of cloud-native applications.

Dive into this expert cloud security guide from Wiz to learn:

  • Benefits of replacing siloed solutions with a holistic one

  • Key features and requirements to include in your evaluation

  • How to build an RFP

Fight tool sprawl and alert fatigue with a security solution built for the cloud.

👉️ Get the Guide 👈️

Evaluating vendors is tough, always good to have perspective on how to do so effectively 👍️ 

AppSec

d0ge/sign-saboteur
A Burp Suite extension for editing, signing, verifying, and attacking signed tokens. It provides automatic detection and in-line editing of tokens within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.

Semgrep Academy
My friend Tanya Janca (She Hacks Purple) et al have launched Semgrep Academy, which provides totally free courses on AppSec, secure coding, API security, and more!

Building a GitOps CI/CD Pipeline with GitHub Actions (SOC 2)
Mathieu Larose presents a simple and developer-friendly GitOps-based CI/CD pipeline built on GitHub Actions, designed for SOC 2 compliance. He shares a working implementation and a ruleset, using GitHub’s branch protection feature, that ensures things SOC 2 cares about like PRs must have at least one approving review, required status checks are enforced, etc.

Relative Path File Injection: The Next Evolution in RPO
Some web security wizardry from Ian Hickey, who introduces a new technique called Relative Path File Injection (RPFI), allowing for the injection of arbitrary file data into a user's download via a simple relative anchor tag.

There are a number of preconditions (site has an existing download link, you can inject persistent content into the page like via XSS, etc.) which likely makes this hard to find, but being able to have users download your PDF, Bash script, or server-side template code is neat. The web/browsers are crazy 😂

Sponsor

📣 The AIBOMs are Coming! 🤖 💣️

As AI proliferates, so will the need to safeguard against compromised models and illegal, copyrighted, and poisoned datasets. Artificial Intelligence Bills of Materials (AIBOMs) are emerging as a vital capability to inventory models and the datasets they’re trained on, and CISA recently called out AIBOMs as a best practice in its latest Security Guidelines for Critical Infrastructure. Learn more about AIBOM workflows, use cases, and opportunities to engage with the community in Manifest’s free whitepaper:

Adding AI to everything is all the rage these days, so it’s great to see resources on securing it. I’m curious to learn more about AIBOMs and where things are headed 🤔 

Cloud Security

widdix/aws-amicleaner
A tool by Michael Wittig and Andreas Wittig to clean up your unused AMIs. Process: include AMIs by name or tag → exclude AMIs in use, younger than N days, or the newest N images → manually confirm the list of AMIs to delete.

Scout Suite 5.14.0 now supports Digital Ocean
Scout Suite, a great multi-cloud security auditing tool by NCC Group, can now check for 27 misconfigurations across 7 major Digital Ocean services, thanks to Asif Wani. Nice!

AWS CloudQuarry: Digging for Secrets in Public AMIs
KPMG’s Eduard Agavriloae and Matei Josephs share their research looking for secrets in public AMIs across every AWS region. They examined ~3.1M public AMIs, and in total collected 500 GB of credentials, private repositories, over 121 live valid AWS credentials (20 from a root user), and tons of other secrets. Love the detailed methodology!

Deterring Attackers with HoneyTrail: Deploying Deception in AWS
Adan Alvarez shares HoneyTrail, a new project that uses Terraform to deploy honeypots within AWS, including an S3 bucket with fake data, a Go Lambda function, and a DynamoDB table to attract and detect attackers. The services are monitored by CloudTrail, which generates a log and triggers an alert when an attacker interacts with them.

Since CloudTrail is set to only record specific interactions, and because the services are pay-per-use, the cost of running this setup is almost nothing.

Container Security

raesene/teisteanas
A small program by Rory McCune that can be used to create and approve a Client Signing Request in a Kubernetes cluster and then create a new kubeconfig based on that approved certificate.

Detecting Manual Actions in EKS Clusters with Terraform and SNS
Seifeddine Rajhi describes how to use a Terraform module based on Amazon SNS to set up audit alerts and monitoring for manual actions in crucial AWS Elastic Kubernetes Service (EKS) resources, such as ClusterRoleBinding or Secret creation or deletion.

Supply Chain

XZ Utils Made Me Paranoid
TrustedSec’s Kevin Haubris describes his efforts to develop a scanner that can identify hooks in process memory, and compare them with on-disk binaries, to hopefully be able to identify backdoors like XZ Utils. Kevin discusses a number of nuances and potential false positives in his approach, and has released a tool, VerifyELF, which was able to detect the XZ Utils backdoor on a Debian system.

Techniques Learned from the XZ Backdoor
Excellently detailed post from Knownsec 404 on the various techniques XZ Utils used to avoid detection and how it works. Covers: using the IFUNC feature of GLIBC to automatically run code during the LD loading phase of a program, obfuscating string information using Radix Tree, gathering dependency information to pinpoint the RSA_public_decrypt address within sshd, using the dl_audit mechanism to hook functions, and more.

cisagov/vulnrichment
A public repository by CISA that enriches public CVE records by adding key SSVC (Stakeholder Specific Vulnerability Categorization) decision points and, for higher-risk CVEs, CWE, CVSS, and CPE (Common Platform Enumeration) data.

See this Axios post for more on how CISA is stepping up now that NVD has drastically slowed down.

dependabot-core is now open source with an MIT license
dependabot-core is the component of Dependabot that defines the logic to create pull requests for dependency updates across the 20+ languages and package managers it supports today. The update logic in dependabot-core is tightly integrated with the rest of GitHub’s Dependabot features, such as grouped updates and auto-triage rules.

Poisoning Pipelines: Azure DevOps Edition
JUMPSEC’s Francesco Iulio describes exploring an Azure environment from an initial foothold, the impact of overprivileged roles (e.g. users with non technical roles having write permissions to certain Azure DevOps pipelines), using historical code access to extract secrets, extracting pipeline secrets if you can push code, tactical example commands of what to steal if you’ve compromised an identity associated with a code checking agent, how Terraform files may contain sensitive keys or creds and can be used to understand the infra, and more.

Red Team

ashirt-ops/ashirt-server
By Yahoo’s John Kennedy and Joe Rozner: “Adversary Simulators High-Fidelity Intelligence and Reporting Toolkit.” Basically, tool to streamline documentation and reporting for red team operations, effectively capturing notes, recordings, screenshots, and other evidence.

Everyday Ghidra: Symbols - Prescription Lenses for Reverse Engineers - Part 1
@Clearbluejar describes how recovering symbols aids the reverse engineering process (e.g. function names, prototypes, data types, constants, enums), and how to recover name and type info from closed source binaries using named exports, imports, public symbols, debug binaries and private symbols, and more.

AI + Security

LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Sysdig’s Alessandro Brucato describes how some cybercriminals are leveraging stolen cloud credentials to access cloud-hosted LLM services, and then sell that LLM access to other cybercriminals. This seems like an obvious attack to me, basically it’s like cryptojacking, which leverages a victim’s compute to mine cryptocurrency, but for LLMs instead.

Building an AI AppSec Team
Srajan Gupta walks through an example of using CrewAI to create a multi-agent application security team, with agents focused on code review, exploiting identified issues, mitigating the vulnerabilities, writing a report summary, and a manager agent.

Challenges include: agent orchestration (e.g. the manager performs a task instead of delegating), and memory (ensuring agents have access to relevant memory but not unnecessary details which increase costs).

HackerOne co-founder Jobert Abma on AI in bug bounty
I’m guessing that some bug bounty hunters were afraid of AI replacing them (after Jobert’s tweet that their AI hack agent could find basic vulnerabilities and solve the first few Hacker101 CTFs), so Jobert shared a long tweet about it.

I agree with most of what Jobert says: the best hackers already use (non AI) automation heavily, AI will supercharge the best hackers, and that AI will be able to find low hanging fruit bugs but humans will still be necessary (for the foreseeable future) for the most complex bugs.

💡 What Jobert doesn’t say is that like with any area of expertise, there’s a power law distribution of skill (most people are junior), and they will be affected by AI first and the most.

I predict that AI systems built by experts/security product companies will be better than entry level bug bounty folks in 2 years, 5 years at the outside. Not experienced people, but people who are just starting out.

But then what happens to the talent pipeline? Senior people got there by first being junior and gaining experience, so what if it’s unprofitable to hire junior talent? I think about this a lot these days. Maybe AI will help people learn faster via 1:1 mentoring, and that will be a partial solution.

AI

So many exciting things this week!

Quick Recap for Google I/O 2024
The Ben’s Bites newsletter has a nice overview, including: Gemini Flash is a faster and cheaper model (think Claude Haiku), a real time voice assistant called Astra, a long-form video generator called Veo, Gemini is getting integrated into Workspace products (summarize emails, suggested responses, Gmail Q&A, AI sidebar in Docs, Sheets, …), and more.

Hello GPT-4o
OpenAI has released a new flagship model that can reason across audio, vision, and text in real time. It matches GPT-4 Turbo performance and is faster and 50% cheaper, and free users will be able to use it in ChatGPT. This page has a bunch of cool demos, as does their launch video and this tweet thread.

The real-time conversation capabilities are quite cool (real-time language translation demo 🤯), and it’s interesting how GPT-4o seems reasonable at detecting emotions in human faces. Having a desktop app that can see your screen and easily answer questions/help troubleshoot is neat, and they’ve hinted at more agentic functionality coming soon.

In my personal experiments, anecdotally, GPT-4o seems a bit better at helping at coding tasks, in terms of having more thorough and complete responses.

Misc

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler