🔸Evilginx-ing into the cloud: How we detected a red team attack in AWS

Another interesting walk through from the Expel team on a red team exercise they recently spotted in a customer's AWS cloud environment.

https://expel.io/blog/evilginx-into-cloud-detected-red-team-attack-in-aws/

#aws

🔹Privilege Escalation in AKS Clusters

Read access to ConfigMaps by default allowed privilege escalation in Microsoft's Kubernetes AKS.

https://medium.com/sse-blog/privilege-escalation-in-aks-clusters-18222ab53f28

#azure

🔸"I took a first pass at mapping out how AWS security services all connect to one another and where to categorize them."

https://twitter.com/0xdabbad00/status/1336494125617541120

#aws

🔸Netflix/consoleme

New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”

- Consolidates the management of multiple accounts into a single web UI.
- Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.
- Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.
- A self-service wizard is also provided to guide users into requesting the permissions they desire.

https://github.com/Netflix/consoleme

#aws

🔸AWS Systems Manager Attack and defense strategies

Post covering multiple aspects of Systems Manager, Documents and how to protect and detect techniques leveraging its "Run Command".

https://blog.karims.cloud/2020/12/08/ssm-attack-and-defense-strategies.html

#aws

🔸AWS Audit Manager Simplifies Audit Preparation

Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”

https://aws.amazon.com/blogs/aws/aws-audit-manager-simplifies-audit-preparation/

#aws

🔸Gaining Persistency on Vulnerable Lambdas

What can an attacker do if they found a Remote Code Execution (RCE) vulnerability in a Lambda function?

https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/

#aws

🔴Google Cloud Platform (GCP) Service Account-based Privilege Escalation paths

The Praetorian team uncovered a GCP risk scenario in which privileges in a compromised service can be used to further escalate privileges.

https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths

#gcp

Azure Kubernetes (AKS) Security Best Practices

Part 1: Designing Secure Clusters and Container Images
https://www.stackrox.com/post/2020/01/azure-kubernetes-aks-security-best-practices-part-1-of-4/

Part 2: Networking
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-2-of-4/

Part 3: Runtime Security
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-3-of-4/

Part 4: Cluster Maintenance
https://www.stackrox.com/post/2020/03/azure-kubernetes-aks-security-best-practices-part-4-of-4/

🔸Lesser Known Techniques for Attacking AWS Environments

"This post will discuss lesser known attack techniques that I would use in attacking AWS accounts and conclude with a discussion of defenses. A common theme among many of these concepts is abusing trust, whether that is incorrectly trusting attacker controlled resources hosted on AWS, or the trust relationships between accounts or within an account.

I’ll discuss a few techniques in gaining initial access, recon, lateral movement between accounts, and data exfiltration."

https://tldrsec.com/blog/lesser-known-aws-attacks/

#aws

🔹Azure Security Basics: Log Analytics, Security Center, and Sentinel

Log Analytics, Sentinel, and ATP can produce a complete picture of your Azure authentication border defenses, virtual server happenings, and everything in between them.

https://www.blackhillsinfosec.com/azure-security-basics-log-analytics-security-center-and-sentinel/

#azure

🔹CrowdStrike Reporting Tool for Azure (CRT)

A tool which helps organizations quickly and easily review excessive permissions in their Azure AD environments, helps determine configuration weaknesses, and provides advice to mitigate risk.

https://github.com/CrowdStrike/CRT

#azure

🔸AWS Lambda $LATEST is dangerous

You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.

https://awsteele.com/blog/2020/12/24/aws-lambda-latest-is-dangerous.html

#aws

The Essential Guide to Cloud Security Posture Management

How CSPM automates security configuration across clouds

"Cloud Security Posture Management, or CSPM, is a relatively new cloud security
category designed to address configuration and compliance risks in your cloud infrastructure. The concept of CSPM is to enable organizations to automatically discover, assess, and remediate security configuration issues and gaps across multiple cloud providers and accounts. This approach ensures that at any given moment you have a consistent, secure, and compliant cloud infrastructure."

https://info.aquasec.com/cspm-essential-guide

#aws #gcp #azure

🔸AWS Security Maturity Roadmap 2021

The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.

https://summitroute.com/blog/2021/01/12/2021_aws_security_maturity_roadmap_2021/

#aws

🔸Auditing PassRole: A Problematic Privilege Escalation Permission

iam:PassRole is an AWS permission that enables critical privilege escalation; many supposedly low-privilege identities tend to have it. The PassRole permission requirement is ubiquitous. It extends to more than 300 actions in more than 90 services and, in some cases, is obscured by parameters that indirectly contain the role being passed. Comprehensively auditing it can be a handful but is absolutely worth it as not doing so means leaving relatively easy avenues for privilege escalation wide open.

https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/

#aws

🔸Top Ten Security Updates from AWS re:Invent 2020

AWS re:Invent ran for three weeks last year. It is more important than ever to help everyone by summarizing AWS' biggest security announcements.

https://www.linkedin.com/pulse/top-ten-security-updates-from-aws-reinvent-2020-phil-rodrigues/

#aws

🔹🔴Abusing cloud services to fly under the radar

NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.

https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

#gcp #azure

🔸Compliance-as-code and auto-remediation with Cloud Custodian

AWS blog post about using Cloud Custodian + Lambdas to enforce compliance-as-code and auto-remediation. Cloud Custodian is an open source, stateless rules engine that offers policy-level execution against multiple kinds of event streams, including CloudWatch Events, CloudTrail events, and more.

https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/

#aws

82% of companies unknowingly give 3rd parties access to all their cloud data

The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.

https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/

#aws #gcp #azure