1510
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
🔶 Methods to Backdoor an AWS Account
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
🔶 How to setup geofencing and IP allow-list for Cognito user pool
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
🔶 When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat
#aws
🔶 SSRF Tricks - Thread
Some tricks «rhynorater» picked up over the past 5 years of web app testing.
https://x.com/rhynorater/status/1689400476452679682?s=52&t=J3j_Bp59pI4rfliKITPeZQ
(Use VPN to open from Russia)
#aws
🔶 Hacking Github AWS integrations again
Another post looking at the perils of unproperly scoping access provided by OIDC.
https://dagrz.com/writing/aws-security/hacking-github-aws-oidc
#aws
🔷 Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform
A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).
https://www.tenable.com/security/research/tra-2023-25
(Use VPN to open from Russia)
#azure
🔶 Perform continuous vulnerability scanning of AWS Lambda functions with Amazon Inspector
Activate Amazon Inspector within one or more AWS accounts, and be notified when a vulnerability is detected in an AWS Lambda function.
https://aws.amazon.com/ru/blogs/security/perform-continuous-vulnerability-scanning-of-aws-lambda-functions-with-amazon-inspector/
#aws
🔶 More on Abusing the Amazon Web Services SSM Agent as a Remote Access Trojan
This blog lays out a new potential post-exploitation technique: Abusing AWS Systems Manager (SSM) agent so that it functions as a Remote Access Trojan (RAT) on both Linux and Windows machines, while using an attacker AWS account as a Command and Control (C&C).
https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan
#aws
🔶 Automated First-Response in AWS using Sigma and Athena
Can Sigma rules provide first-response capabilities in a post-compromised AWS environment?
https://invictus-ir.medium.com/automated-first-response-in-aws-using-sigma-and-athena-615940bedc56
(Use VPN to open from Russia)
#aws
🔶🔷🔴 Hijacking Cloud CI/CD Systems for Fun and Profit
This research details a new technique that can be used by threat actors for supply chain attacks on open-source repositories using GCP, Azure and AWS.
https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit
#aws #azure #gcp
🔶 No keys attached: Exploring GitHub-to-AWS keyless authentication flaws
While popular, GitHub-to-AWS keyless authentication mechanisms can be insecurely configured.
https://securitylabs.datadoghq.com/articles/exploring-github-to-aws-keyless-authentication-flaws/
#aws
🔶 How to get rid of AWS access keys - Part 3: Replacing the authentication
Post discussing alternative solutions to using access keys.
https://www.wiz.io/blog/how-to-get-rid-of-aws-access-keys-part-3
#aws
🔶 Abusing Amazon VPC CNI plugin for Kubernetes
The article discusses a security vulnerability in the Amazon VPC CNI plugin, used by Amazon EKS. The flaw allows an attacker to move laterally to other VPCs in the AWS account.
https://www.elttam.com/blog/amazon-vpc-cni/
#aws
🔶 How to Monitor AWS IAM Root Users at Scale: Best Practices
CloudYali provides insights into best practices and effective strategies for managing IAM users at scale. The article delves into IAM user monitoring, emphasising the importance of the root user, and highlighting essential IAM security practices. It also covers automation of IAM Credential Report generation at scale, streamlining the collection of IAM user information and facilitating more efficient monitoring and management for cloud teams.
https://www.cloudyali.io/blogs/how-to-monitor-aws-iam-root-users-at-scale-best-practices?utm_source=tldrsec.com&utm_medium=referral&utm_campaign=tl-dr-sec-191-badzure-detection-response-pipelines-18k-subscribers
#aws
🔷 Escalating Azure Privileges with the Log Analytics Contributor Role
A (now fixed) privilege escalation that allowed an Azure AD user to escalate from the Log Analytics Contributor role to a full Subscription Contributor role.
https://www.netspi.com/blog/technical/cloud-penetration-testing/escalating-azure-privileges-with-the-log-analystics-contributor-role/
#azure
🔶 Terraform best practices for reliability at any scale
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
🔶 Identifying & Reducing Permission Explosion in AWS
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
🔷 An Azure Tale of VPN, Conditional Access and MFA Bypass
A walkthrough review of the implementation of an on-prem VPN server that used Azure AD as the idP and enforced MFA via conditional access policies.
https://simondotsh.com/infosec/2023/08/15/azure-tale-vpn-ca-mfa-bypass.html
#azure
🔶 AWS Security Monitoring in 2023: Untangle the chaos
This post provides recommendations for implementing an effective security monitoring strategy in AWS.
https://marbot.io/blog/2023-08-04-aws-security-monitoring-in-2023.html
#aws
🔷 Knocking on the Front Door (client side desync attack on Azure CDN)
A write-up on a Browser-Powered Desync bug discovered in the Azure CDN service known as Front Door.
https://blog.jeti.pw/posts/knocking-on-the-front-door
#azure
🔶 Configure fine-grained access to your resources shared using AWS Resource Access Manager
You can use AWS Resource Access Manager (AWS RAM) to securely, simply, and consistently share supported resource types within your organization or organizational units (OUs) and across AWS accounts.
https://aws.amazon.com/ru/blogs/security/configure-fine-grained-access-to-your-resources-shared-using-aws-resource-access-manager/
#aws
🔴 Signing URLs in GCP: Convenience vs. Security
Why the "iam.serviceAccounts.signBlob" permission can cause trouble in your GCP environment.
https://lsgeurope.com/post/signing-urls-in-gcp-convenience-vs-security
#gcp
🔷 Microsoft Entra Workload ID - Introduction and Delegated Permissions
Post providing an overview about some aspects and features which are important in delegating management of Workload ID in Microsoft Entra: Who can see and create apps? Why you should avoid assigning owners to service principals or application objects?
https://www.cloud-architekt.net/entra-workload-id-introduction-and-delegation
#azure
🔶AWS Networking Concepts
A mind map to link together all the different networking-related concepts from AWS.
https://miparnisariblog.wordpress.com/2023/03/29/aws-networking-concepts/
#aws
🔶 Swiping right on the AWS WAF CAPTCHA challenge
Post walking through a methodology for beating the AWS WAF CAPTCHA challenges programmatically.
https://onecloudplease.com/blog/swiping-right-on-the-aws-waf-captcha-challenge
#aws
🔶 Refuting AWS Chain Attack - Digging Deeper into EKS Zero Day claims
An analysis of the findings published by a security researcher last month, claiming to have uncovered zero days in thousands of EKS cluster.
https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/
#aws
🔶 Orca Security's journey to a petabyte-scale data lake with Apache Iceberg and AWS Analytics
Orca Security shares their experience in building a petabyte-scale data lake using Apache Iceberg and AWS services.
https://aws.amazon.com/ru/blogs/big-data/orca-securitys-journey-to-a-petabyte-scale-data-lake-with-apache-iceberg-and-aws-analytics/
#aws
🔴 Bad.Build: PE & RCE Vulnerabilities in Google Cloud Build
The Orca Research Pod discovered Bad.Build, a vulnerability in the Google Cloud Build service that enables attackers to escalate privileges and gain unauthorized access to code repositories and images in Artifact Registry.
https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/
#gcp
🔷 Azure AD is Becoming Microsoft Entra ID
Microsoft is rebranding Azure AD to Microsoft Entra ID.
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436
#azure
🔶 CVE-2021-38112: AWS WorkSpaces Remote Code Execution
A vulnerability in the AWS WorkSpaces desktop client (CVE-2021-38112), which allows commands to be executed if a victim opens a malicious WorkSpaces URI from their browser.
https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/
#aws