News
Hi folks! I'm back!
The break took a bit longer than expected, it was an intense few months.
In short (takes deep breath): we moved house, I burned out, found myself in a dark place of anxiety and depression, found help, got through it thanks to the incredible people around me, went back to working for myself, immediately found work, settled in to the new house much smoother than we thought, went back to working from home on my own schedule, and am now enjoying life more than ever.
It has been quite the ride. But looking back, it all needed to happen, and I am in a much better place now than I've been in years. I've learned a lot about myself, and look forward to learning more.
So, after some recharging I'm picking up the newsletter again. Did I miss much? ;-)
As always, I hope you get value out of this issue and the upcoming ones.
Thank you for your patience! Cheers!
Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks
In case you missed it: Citrix Netscaler has a very high-impact vulnerability, dubbed "Citrix Bleed 2" because of how much it resembles the first.
It's exploited by "omitting the equal sign in the 'login=' parameter, causing the device to leak 127 bytes of memory". Yikes. When doing this repeatedly one can gain access to valid session tokens. It's so bad that CISA gave US agencies 24 hours before a patch needed to be installed (and that was a week ago).
Citrix is facing some backlash because they failed to share all available information about exploitation in the wild. Either way, if you run a vulnerable Netscaler install and haven't patched yet, I would assume compromise and go from there.
Detection Engineering field manual #1 - What is a Detection Engineer?
I held on to this one for a few weeks until I restarted the newsletter, because it's just a very interesting read :-) (And must be a cool career path to pursue).
Hiding in plain sight - Mount namespaces
Another in the "this is just very interesting" category. A very well-written writeup about using mounted namespaces to hide files and masquerade processes on Linux systems. It gets pretty technical but if you're in to that sort of thing you'll love the write-up :-)
The zero-day that could've compromised every Cursor and Windsurf user
OpenVSX is an open-source marketplace for extensions that power various developer tools such as Cursor, Windsurf, and VSCodium. It turns out that the way it gathers extensions to be built and published was vulnerable for takeover, meaning one exploitation could essentially compromise millions of developer machines in one go.
It's a very important example of the fact that supply-chain attacks don't just exist in the software we deploy to our servers, but also in what we run on our own machines. Honestly, be it extensions for VSCode or your browser, there doesn't seem to be a good way to fully protect yourself, except to just assume that nothing is safe. But that doesn't really help anyone. More work left to do folks!
'123456' password exposed chats for 64 million McDonald’s job chatbot applications
Speaking of more work to do, good lord.
Although I do get a kick out of imaging thousands of people faceslapping themselves when they read this. But still, ffs.
Quick links
- North Korean XORIndex malware hidden in 67 malicious npm packages: link
- UK launches vulnerability research program for external experts: link.
- Max severity Cisco ISE bug allows pre-auth command execution: link
- Chinese hackers breached National Guard to steal network configurations: link
- Ukrainian hackers cripple IT infrastructure of Russian drone manufacturer: link
Please use a password manager
If you're not using a password manager yet, please consider doing so. And if you're looking for one to try, give 1Password a shot.
I wouldn't know what to do without it, it's such a great help when navigating between devices, storing anything from passwords to tokens to passkeys and SSH keys.
And as always, thank you 1Password for supporting this humble newsletter.