TLDR Information Security 2024-05-22

Data Leaks in Major Clouds β›…, Building AI AppSec Team πŸ‘₯, Students find free laundry 🧺

πŸ”“
Attacks & Vulnerabilities

Critical Bug Allows DoS, RCE, Data Leaks in All Major Cloud Platforms (3 minute read)

Researchers have discovered a severe memory corruption vulnerability dubbed "Linguistic Lumberjack" in Fluent Bit, an open-source cloud logging utility with over 3 billion downloads widely used by major organizations and cloud providers like AWS, Microsoft, and Google Cloud. The vulnerability potentially allows denial of service, data leakage, and remote code execution in cloud environments.

OmniVision Says Personal Information Stolen in Ransomware Attack (3 minute read)

Semiconductor manufacturing giant OmniVision Technologies disclosed a ransomware attack in September 2023 that led to data theft, including personal information. However, it has not detailed the type of personal information that was compromised.
🧠
Strategies & Tactics

Building an AI AppSec Team (5 minute read)

This blog post presents a workflow that uses AI agents to simulate an AppSec team. The workflow features a manager, code reviewer, exploiter, mitigation expert, and report writer agent to attempt to find vulnerabilities, write PoCs, and mitigate the vulnerabilities. The post makes slightly exaggerated claims on the efficacy of the toolchain, but it serves as an early demonstration of the potential of these tools.

Building a SOC 2 Compliant GitOps CI/CD Pipeline with GitHub Actions (8 minute read)

This is a walkthrough for implementing a SOC 2-compliant GitOps workflow. The workflow features an app repo to test and build the code and an infra repo to deploy it. The walkthrough also presents hotfix and rollback flows.

Endpoint Vulnerability Management at Scale (10 minute read)

A post from Canva outlining its vulnerability management pipeline. The pipeline begins by extracting vulnerability information from its EDR, then utilizing its MDM to automatically push updates for managed applications or when an application is not managed, creating tickets for IT. The post also includes success metrics and a discussion of the results and difficulties of the process.
πŸ§‘β€πŸ’»
Launches & Tools

HoneyTrail (GitHub Repo)

HoneyTrail is a set of honey services to be deployed in an AWS account to detect unauthorized access. The suite uses a separate CloudTrail trail for ease of detection and alerting.

Precli (GitHub Repo)

Precli is designed to do static code analysis of source code with a number of rules covering the standard library for the corresponding programming language.

NightVision (Product Launch)

Covering API and web application security, NightVision will simulate attacks to identify exploitable defects before they enter production and integrates directly with the standard development workflows and CI/CD pipelines.
🎁
Miscellaneous

Two students find security bug that could let millions do laundry for free (3 minute read)

Students have discovered a security flaw in internet-connected laundry machines used by millions of college students that allows free operation and manipulation of account balances through an app's API vulnerability. The vulnerability affects over a million machines across North America and Europe owned by CSC ServiceWorks.

EU Council gives final nod to set up risk-based regulations for AI (4 minute read)

The European Union has approved the groundbreaking and first-of-its-kind AI Act, establishing risk-based regulations for artificial intelligence. The law bans certain high-risk AI use cases and imposes obligations for high-risk applications like biometrics. It will come into force across the EU in phases.

Invisible miners: unveiling GHOSTENGINE's crypto mining operations (7 minute read)

Elastic Security Labs uncovered an intrusion set named REF4578 with a primary payload called GHOSTENGINE that targeted crypto mining operations by deploying malicious modules and exploiting vulnerable drivers. GHOSTENGINE aims to disable security solutions, establish persistence, and execute a crypto-miner while utilizing elaborate techniques to evade detection and ensure system infection.
⚑️
Quick Links

Critical GitHub Enterprise Server Flaw Allows Authentication Bypass (1 minute read)

GitHub addressed a serious flaw in GitHub Enterprise Server that allowed unauthorized access without authentication for server versionsserver versions below 3.13.0.

Veeam warns of critical Backup Enterprise Manager auth bypass bug (2 minute read)

Veeam has warned customers about a critical security vulnerability in its Backup Enterprise Manager (VBEM), which allows attackers to sign into any account without authentication.

Why Your Wi-Fi Router Doubles as an Apple AirTag (7 minute read)

Wi-Fi router privacy vulnerabilities are being used to track devices like Starlink devices from conflict zones, prompting Apple to update its privacy policy.
Curated news πŸ“°, research πŸ§‘β€πŸ”¬, and tools πŸ”’ for information security professionals
Join 300,000 readers for