Did anyone actually win anything from the Human Connection Challenge?
It's been quite a while since the challenge ended, and still no official announcement about the winners. There was no live prize draw, and it feels like the whole thing just silently wrapped up. Don’t get me wrong, I’m not mad about not winning a major prize or anything. But it seems like nobody won anything ? I haven’t seen a single post from anyone saying “thank you” or mentioning they received something. That’s... odd, right? If you won a PS5, headphones, or any of the big prizes, please let us know. I’ll honestly be happy if I’m wrong and people did get rewarded. 😊 Just curious if there were actual winners📢 We want to hear from you!
Our community is growing and your feedback is invaluable in helping us grow and improve. Please take a few moments to share your thoughts, experiences and suggestions with us. This survey should take no more than 5 minutes to complete, and please be assured that your responses will be kept confidential and used only for the purposes of this survey. We understand that your time is valuable, and we're grateful for your willingness to help us improve.Thank you, Immersive Labs
For your kindness and genius. And for allowing us to be a little bit wiser every day; thank you for your practical and theoretical labs (I have even smiled with some of them :)). Thank you for making us investigate, for going a little further; and for having an impact on our customers: protecting them better. Thank you for allowing us to work with recent CVEs from various perspectives (attack, defense and post-mortem). Thank you for your effort and for making it possible. Here's to many more years! :).
CVE-2024-3094 (XZ Utils Supply Chain Backdoor)
This training was a deep dive into supply chain attacks, focusing on how attackers compromise third-party libraries to infiltrate systems. 🌳 ROOT: The Core Lesson 🔹 Your code is only as secure as its weakest dependency. 🔹 Attackers don’t always target your app—they infect the libraries and tools you trust. 🔹 A single update from upstream can spread malware downstream into thousands of systems. 🌲 BRANCHES: Key Takeaways 1️⃣ Trunk: The Major Incidents (Real-World Cases) 📌 Log4j (CVE-2021-44228) – A simple logging library led to RCE attacks on millions of apps. 📌 XZ Utils Backdoor (CVE-2024-3094) – Attackers planted a hidden SSH backdoor inside a widely used Linux tool. 📌 SolarWinds Attack – A trusted software update infected top enterprises & governments. 2️⃣ Branches: How These Attacks Work? 🌿 Compromised Upstream – Hackers inject malicious code into open-source projects. 🌿 Silent Propagation – CI/CD pipelines & OS distros auto-fetch infected updates. 🌿 Exploitation in Production – The attacker gains remote access, RCE, or data leaks. 3️⃣ Leaves: Defensive Actions You Must Take! 🍃 Pin Dependencies – Use fixed versions instead of "latest". 🍃 Verify Integrity – Check hashes, signatures, and changelogs before updating. 🍃 Scan Your Stack – Use SCA tools like Dependabot, Trivy, or Snyk. 🍃 Restrict CI/CD Auto-Updates – Require manual reviews for third-party updates. 🍃 Monitor for Compromise – Set alerts for vulnerable dependencies. 🌟 TOP OF THE TREE: The Final Takeaway Supply chain security is not an option—it's a necessity! If upstream is compromised, everything downstream is at risk. Never blindly trust software updates—always verify before deploying. Your security is only as strong as the weakest library you import! Be proactive, not reactive—because the next Log4j or XZ Backdoor could already be in your pipeline!Question for members: your most rebellious labs
Hello!, I think it would be interesting to share in this Community those labs that have been the most difficult for us to complete; or those that are resisting us and we have invested a significant amount of time: trying tactics and techniques, reading carefully their documentation and references, blog posts about the exploits, testing options or just going step by step. Let's get started :)!: .: I find it hard to finish labs related to access policies or permissions in Cloud: maybe it's the syntax required to give permission to a S3 bucket or to the access point ... but I invest a lot of time to complete them. I am close to having finished 2,400 labs but when I have to write the concrete policy in that json file I struggle :). .: Esoteric labs, as I like to call them ^^. Example: CAN bus. Don't ask me the specific reason, but I have been trying for some time to finish the last few!: I love them, but I'm stuck at the moment. [...] So: which are the labs you have had the hardest time finishing (no matter the difficulty) and which are the ones you are investing the most time in?. Thank you and good luck!.
