Are We Ready for Next Cyber Crisis Like Log4Shell or Not? Voxxed Days Thessaloniki 2025

Transcript

1. Are We Ready For The Next Cyber Security Crisis Like

   Log4Shell? Probably Not ! SOROOSH KHODAMI Software Developer / Architect Code Nomads Nov 8 - 2025

2. PROLOGUE EXPOSED

3. Who has ever copied a set of bash commands from

   internet ? (Stack Overflow / ChatGPT / CoPilot / Claude …)

4. “I will not run commands in terminal blindly” – a

   developer Hackers Hackers Hackers

5. YOU ARE ONE COMMAND AWAY FROM GIFTING ACCESS TO A

   HACKER

6. Can you recognize? REVERSE SHELL

7. Victim Hacker

8. maven install

9. What the huck? Hacker Private IP Address 192.168.X.X Private IP

   Address 192.168.X.X Private IP Address 192.168.X.X My Laptop Incoming Request X GIFT Outgoing Request Firewall Public IP Address Router My Hotspot Hotspot’s network

10. The New Battlefront in Cybersecurity Supply Chain Attack

11. D E V E L O P E R /

    A R C H I T E C T Soroosh Khodami Developing Software Since Good Old Dial Up Days Expert in Software Supply Chain Security Solution Architect at Rabobank via Code Nomads @SorooshKh linkedin.com/in/sorooshkhodami

12. ACT I UNMASKED

13. CLASSIC CYBER ATTACKS SQL Injection Cross-Site Scripting (XSS) Cross-Site Request

    Forgery (CSRF) DDoS Man-in-the-Middle Remote Command Execution Path Traversal Buffer Overflow Privilege Escalation Zero-Day Exploits Server-Side Forgery (SSRF) Read More ▪ https://www.certifiedsecure.com ▪ https://portswigger.net/web-security/learning-paths Phishing

14. Security Risk Transformation Read More https://owasp.org/www-project-top-ten/

15. Security Risk Transformation Read More https://owasp.org/www-project-top-ten/ 2025 (New) Supply chain

    attacks?

16. Security Risk Transformation Read More https://owasp.org/www-project-top-ten/ Release on Nov 6

17. Supply Chain Risks Software Supply Chain Hijacking Counterfeit Components Compromised

    Build Environments Third-Party Vulnerabilities Dependency Confusion

18. ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10

    / 10 CVE-2024-3094 CVSS Score 10 / 10 CVE-2022-22965 CVSS Score 9.8 / 10 CVE-2020-10148 CVSS Score 9.8 / 10 CVE-2025-29927 CVSS Score 9.1 / 10 CVE-2025-1974 CVSS Score 9.8 / 10 2020 2021 2022 2024 2025

19. Still 2025

20. of all downloads of Log4J are still vulnerable to the

    Log4Shell 13% Reported By Sonatype (Maven Central) https://www.sonatype.com/resources/log4j-vulnerability-resource-center 3 Years After Disaster

21. com.xyzcompany.shared-libs version : 1.999.999 com.xyzcompany.shared-libs version : 1.2.5 Maven Repository

    #2 Source Code ? Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Maven Repository #1 Dependency Confusion

22. Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Dependency Confusion

    mycompany-ui-component version : 6.6.6 mycompany-ui-component version : 1.2.5 Private NPM Repository Source Code ?

23. Dependency Confusion

24. Spring Boot Hello-World Dependencies [Your Software] com.yourcompany.awesome Open Source Library

    Vendor Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library How Much Risk Are We Talking About ?

25. [Your Software] @yourcompany/awesome Open Source Library Vendor Library Open Source

    Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library Open Source Library How Much Risk Are We Talking About ? Hello World NodeJS App (Only Express) 65 Sub-Dependencies

26. AI ERA: Typosquatting & Slopsquatting

27. AI ERA: LLM Poisoning & Prompt Injections Read More •

    Russian hackers manipulate npm to make realistic packages -https://www.getsafety.com/blog-posts/russian-hackers-manipulate-npm-to-make-realistic-packages • https://dev.to/andyrichardsonn/how-i-exploited-npm-downloads-and-why-you-shouldn-t-trust-them-4bme • Find packages with similar names to your packages - https://github.com/cmandesign/Dependency-MiSpell • Prompt Injection By Brian Vermeer - https://www.youtube.com/watch?v=72e_0WxaQl0

28. AI ERA: Model Vulnerabilities

29. Lateral Movement: From SQL Injection to Root on K8s SQL

    Injection Vulnerability CVE: CVE-2022-22965 (Spring4Shell) Exploiting improper input sanitization in JDBC queries PostgreSQL Command Execution CVE: CVE-2022-1552 Affected versions: PostgreSQL 14.x before 14.3 Allows a database user with CREATE privileges to execute arbitrary code as the PostgreSQL server user Container Privilege Escalation CVE: CVE-2022-0847 (Dirty Pipe) Attack: Leveraging a page cache vulnerability to gain root within container Kubernetes Privilege Escalation CVE: CVE-2023-2727 Affected versions: Kubernetes v1.25.0-1.25.9, v1.26.0-1.26.4, v1.27.0- 1.27.1 Exploiting the API server's subject access review validation to bypass RBAC and gain cluster-admin privileges 1 2 3 4

30. ACT II FORTRESS

31. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Install Check Use Dependency Scanning Tools (SCA) Using Dependency Firewall Official Repositories CRITICAL ESSENTIAL ADVANCED Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions Sign Artifacts Continuous Monitoring (SBOM Management) Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 • https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/ • https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/ • https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option Supply Chain Risks Recommendations

32. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Install Check CRITICAL Clean Up Unused Libraries Supply Chain Risks Recommendations • Standardize internal artifact naming patterns (e.g., com.company.* @company/* ) • Reserve org name in dockerhub, npm, NuGet, ansible galaxy & … • Use exact version like 1.2.18 and do not use “LATEST” or ranges like : [1.0,) ▪ [Java] mvn clean install --strict-checksums ▪ [Java] Maven Enforcer Plugin Rules ▪ [All] Package signature verification ▪ [NPM] npm install --ignore-scripts (globally: npm config set ignore-scripts true) ▪ [NPM] NPM Audit ▪ [All] Dependencies Lock-file (package-lock.json , pip.lock, gradle.lock ) • mvn dependency:analyze (maven) • npx depcheck (npm)

33. Use Dependency Scanning Tools (SCA) Official Repositories ESSENTIAL Keep Dependencies

    Up to Date Immutable Versions Supply Chain Risks Recommendations • Avoid using non-maven-central repositories as much as possible • Using proxy repository solutions with routing (includes/excludes) -> Nexus Repo/JFrog • Repository Filter in Maven/Gradle (*) • Renovate / Dependabot ▪ Enforce Immutability for release versions (via Nexus Repository, Jfrog, … ) • OWASP DepScan, Sonatype Lifecycle, Snyk, Anchore, ... (*) (*) More details on next slides

34. Repository Filter (Maven/Gradle) Gradle Maven Remote Repository Filtering Read More

    • https://docs.gradle.org/current/userguide/filtering_repository_content.html • https://maven.apache.org/resolver/remote-repository-filtering.html • https://github.com/JanaCro/maven-remoteRepositoryFiltering By Jana Vojnovic DevSecOps Engineer

35. Dependency Scanning Dependencies Info Licenses Vulnerabilities App Identifier & Metadata

    Software Bill of Material (SBOM)

36. SBOM Generation Artifact Container Image Source Code Runtime Env Dependency

    Scanning

37. SBOM: OWASP DepScan - Jack of All Trades

38. SBOM Generation – Java Ecosystem Read more • OWASP DevSecOps

    Guideline https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ Version +3.3

39. SBOM Generation - Docker Read more • OWASP DevSecOps Guideline

    - https://github.com/OWASP/DevSecOpsGuideline • https://earthly.dev/blog/docker-sbom/

40. Dependency Scanning Free & Paid Tools Read more • OWASP

    DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

41. Supply Chain Risks Recommendations • Real-time blocking of vulnerable and

    malicious dependencies on download request (Nexus Firewall / Jfrog X-Ray) • Jar file: Jarsigner • NPM ECDSA Signature • Container Image: notary v2 / cosign + Enforce signed images on K8s ▪ Monitor SBOMs to detect newly discovered vulnerabilities Using Dependency Firewall ADVANCED Sign Artifacts Continuous Monitoring (SBOM Management)

42. ACT III RESILIENCE

43. Which Application ? Who to contact ? How to Fix

    ? How to detect ? ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10 / 10 h Application ? Who to contact ? How to Fix ? How to detect ? cation ? Who to contact ? How to Fix ? How to detect ? Which Application ? Who to contact ? How to Fix ? How to d Which Application ? Who to contact ? How x ? How to detect ?

44. SBOM Management SBOM In Practice SBOM App SBOM App SBOM

    App SBOM App Continuous Monitoring ZERO DAY ALERT ! Search Apps Based On Dependency or CVE Which Applications ? Authors/Committers Information is Available Who to Contact ? Continuous Monitoring on New SBOMs Are we safe now ? (Realtime-overview) Application Metadata Prioritization on Fix

45. SEVERITY vs PRIORITY CVE-2023-48795 Terrapin SSH Attack CVSS Score 5.9

    / 10 CVE-2024-3094 XZ Utils Backdoor CVSS Score 10 / 10 vs Public Internet Access Customers PII Data High EPSS Score (90%) Isolated Network Low EPSS Score (40%) Read more • https://www.first.org/epss/ • https://epsslookuptool.com • https://www.cvedetails.com Disclaimer: This is just an example, and the EPSS Score is a live score updated daily.

46. SBOM Management: Dependency Track

47. Commercial Tools Free / Open-Source Read more • OWASP DevSecOps

    Guideline https://github.com/OWASP/DevSecOpsGuideline SBOM Management

48. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Integrity Check Use Dependency Scanning Tools (SCA) Using Dependency Firewall Official Repositories CRITICAL ESSENTIAL ADVANCED Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions Sign Artifacts Continuous Monitoring (SBOM Management) Am I Prepared Now For New Crisis?
49. None

50. DevSecOps Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline • What

    is DevSecOps? https://www.ibm.com/think/topics/devsecops

51. Modern Approach Design Develop Deploy Staging Production ▪ DAST ▪

    Load/Stress Test ▪ 4-Eyes Principle ▪ Secret Scanning ▪ SAST/SCA ▪ IaC Scanning ▪ Container Image Scanning ▪ Security Design ▪ Threat Modelling S H I F T L E F T • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection

52. Still ... lop Deploy Staging Production ▪ DAST ▪ Container

    Image Scanning ▪ Load/Stress Test t Scanning SCA canning • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection https://www.youtube.com/watch?v=gdsUKphmB3Y Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

53. EPILOGUE CONCLUSION

54. YOU EITHER DIE A HERO OR YOU LIVE LONG ENOUGH

    TO SEE YOURSELF BECOME THE VILLAIN H a r v ey D en t

55. Thanks for your attention If you have any other questions,

    you can reach out to me via MS Teams or Social Media handles: @SorooshKh linkedin.com/in/sorooshkhodami Special Thanks to Ali Yazdani (OWASP.org) Leendert Brouwer, Jana Vojnovic & Erdi Aktan