🔶🔷🔴 CVE-2022-0847 (aka Dirty Pipe): What does it mean for defenders
A quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of CVE-2022-0847 on their company's infrastructure.
https://www.marcolancini.it/2022/blog-cve-2022-0847-dirty-pipe
#aws #azure #gcp
A quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of CVE-2022-0847 on their company's infrastructure.
https://www.marcolancini.it/2022/blog-cve-2022-0847-dirty-pipe
#aws #azure #gcp
🔷 AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.
https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability
#azure
AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.
https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability
#azure
Orca Security
AutoWarp: Azure Automation Vulnerability | Orca Research Pod
AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.
🔴 Lateral Movement in Google Cloud: Abusing the Infamous Default Service Account Misconfiguration
This post covers how a malicious actor can conduct lateral movement in Google Cloud across compute engine instances using the default service account.
https://orca.security/resources/blog/lateral-movement-google-cloud-default-service-account
#gcp
This post covers how a malicious actor can conduct lateral movement in Google Cloud across compute engine instances using the default service account.
https://orca.security/resources/blog/lateral-movement-google-cloud-default-service-account
#gcp
Orca Security
Google Cloud: Default Service Account Misconfiguration
This post covers how a malicious actor can conduct lateral movement in Google Cloud across compute engine instances using the default service account.
🔷 Escalating from Logic App Contributor to Root Owner in Azure
Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload.
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-logic-app-contributor-escalation-to-root-owner
#azure
Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload.
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-logic-app-contributor-escalation-to-root-owner
#azure
NetSPI
Escalating from Logic App Contributor to Root Owner in Azure
Discover how a penetration test led to gaining owner access at the root level of a tenant in Azure. Read on for a walkthrough and disclosure to MSRC.
🔷 Abusing Family Refresh Tokens for Unauthorized Access and Persistence in Azure Active Directory
Undocumented functionality in Azure Active Directory allows a group of Microsoft OAuth client applications to obtain special "family refresh tokens", which can be redeemed for bearer tokens as any other client in the family.
https://github.com/secureworks/family-of-client-ids-research
#azure
Undocumented functionality in Azure Active Directory allows a group of Microsoft OAuth client applications to obtain special "family refresh tokens", which can be redeemed for bearer tokens as any other client in the family.
https://github.com/secureworks/family-of-client-ids-research
#azure
GitHub
GitHub - secureworks/family-of-client-ids-research: Research into Undocumented Behavior of Azure AD Refresh Tokens
Research into Undocumented Behavior of Azure AD Refresh Tokens - secureworks/family-of-client-ids-research
🔶 Why Step Functions is the Best AWS Service You Are Not Using
Using Serverless AWS Step Functions To Accelerate FedRAMP Moderate ATO.
https://itnext.io/why-step-functions-is-the-best-aws-service-you-are-not-using-4f3c133d7d0d
#aws
Using Serverless AWS Step Functions To Accelerate FedRAMP Moderate ATO.
https://itnext.io/why-step-functions-is-the-best-aws-service-you-are-not-using-4f3c133d7d0d
#aws
Medium
Why Step Functions is the Best AWS Service You Are Not Using
How We Used it to Meet FedRAMP Moderate Compliance Requirements
🔷 Abusing Azure Hybrid Workers for Privilege Escalation - Part 1
Azure Hybrid Workers can be configured to use Automation Account "Run as" accounts, which can expose the credentials to anyone with local administrator access to the Hybrid Worker. Since "Run as" accounts are typically subscription contributors, this can lead to privilege escalation from multiple Azure Role-Based Access Control (RBAC) roles.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-for-privilege-escalation
#azure
Azure Hybrid Workers can be configured to use Automation Account "Run as" accounts, which can expose the credentials to anyone with local administrator access to the Hybrid Worker. Since "Run as" accounts are typically subscription contributors, this can lead to privilege escalation from multiple Azure Role-Based Access Control (RBAC) roles.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-for-privilege-escalation
#azure
NetSPI
Abusing Azure Hybrid Workers for Privilege Escalation – Part 1
Configure Windows VMs in Azure for Hybrid Workers with "Run as" certificates. Check out this post for step-by-step guidance and tips.
🔶 aws | ClickOops
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts.
https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3
#aws
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts.
https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3
#aws
Medium
aws | ClickOops
If you’ve been working in AWS for long enough, you will know that nothing good comes from configuring resources in the console aka…
🔷 A goat in the boat: a look at how Defender for Containers protects your clusters
Article exploring and testing Defender for Containers against a vulnerable environment and see what it can detect or prevent.
https://guillaumeben.xyz/defender-containers.html
#azure
Article exploring and testing Defender for Containers against a vulnerable environment and see what it can detect or prevent.
https://guillaumeben.xyz/defender-containers.html
#azure
🔶 Fantastic AWS Hacks and Where to Find Them
Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.
https://docs.google.com/presentation/d/1WIg9Zctp7emuEgnehArUEwvkHSpC6JOi7ojejMX6L_s/edit#slide=id.g118f683adf8_0_43
#aws
Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.
https://docs.google.com/presentation/d/1WIg9Zctp7emuEgnehArUEwvkHSpC6JOi7ojejMX6L_s/edit#slide=id.g118f683adf8_0_43
#aws
🔴 Google Cloud Storage Explorer: Enumerating Google Cloud’s Bucket Access Permissions
The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.
https://orca.security/resources/blog/google-cloud-platform-storage-explorer
#gcp
The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.
https://orca.security/resources/blog/google-cloud-platform-storage-explorer
#gcp
Orca Security
GCP Storage Vulnerability: GCP Buckets | Orca Research Pod
Attackers can detect which compute engine instances could expose storage data in its Google Cloud project scope by enumerating GCP bucket access permissions.
🔷 Azure Dominance Paths
A comprehensive map of Azure and Azure AD attack paths.
https://cloudbrothers.info/en/azure-dominance-paths
#azure
A comprehensive map of Azure and Azure AD attack paths.
https://cloudbrothers.info/en/azure-dominance-paths
#azure
🔥1
🔶🔷🔴 What to look for when reviewing a company's infrastructure
A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.
https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review
#aws #azure #gcp
A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.
https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review
#aws #azure #gcp
🔶 Automated Incident Response and Forensics Framework
A framework which aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.
https://github.com/awslabs/aws-automated-incident-response-and-forensics
#aws
A framework which aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.
https://github.com/awslabs/aws-automated-incident-response-and-forensics
#aws
GitHub
GitHub - awslabs/aws-automated-incident-response-and-forensics
Contribute to awslabs/aws-automated-incident-response-and-forensics development by creating an account on GitHub.
🔷 Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs.
https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365 (use VPN if you are from Russia)
#azure
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs.
https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365 (use VPN if you are from Russia)
#azure
crowdstrike.com
CrowdStrike Services Identifies Microsoft 365 Logging Inconsistencies
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs. Read this blog to learn more.
👍1
🔴 New Privilege Escalation Techniques that Might Compromise Your Google Cloud Platform
Some common attack techniques that an attacker can use to exploit your Google Cloud Platform (GCP) environment, gain permissions, and steal information via services like Dataproc, Dataflow, and Composer.
https://medium.com/xm-cyber/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform-3b0ca78e6b6b
#gcp
Some common attack techniques that an attacker can use to exploit your Google Cloud Platform (GCP) environment, gain permissions, and steal information via services like Dataproc, Dataflow, and Composer.
https://medium.com/xm-cyber/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform-3b0ca78e6b6b
#gcp
Medium
New Privilege Escalation Techniques that Might Compromise Your Google Cloud Platform
Written by Idan Strovinsky & Zur Ulianitzky — March 28,2022
🔶 Access Undenied on AWS
Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.
https://ermetic.com/blog/aws/access-undenied-on-aws
#aws
Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.
https://ermetic.com/blog/aws/access-undenied-on-aws
#aws
Twitter
Noam Dahan (@NoamDahan) / X
Cloud security researcher @ErmeticSec, European Universities Debating Champion. My 5th grade teacher said I was disruptive.
🐘 noamdahan@infosec.exchange
🐘 noamdahan@infosec.exchange
🔶 Codify your best practices using service control policies
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.
https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1
#aws
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.
https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1
#aws
🔶🔷🔴 The Expansion of Malware to the Cloud
Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware
https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware
#aws #azure #gcp
Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware
https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware
#aws #azure #gcp
Complete Cloud Security in Minutes - Orca Security
Malware on Cloud: Linux, Database, Cryptomining & Ransomware
An overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware. Learn more!
🔷 Azure Active Directory Exposes Internal Information
The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number.
https://www.secureworks.com/research/azure-active-directory-exposes-internal-information
#azure
The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number.
https://www.secureworks.com/research/azure-active-directory-exposes-internal-information
#azure
Sophos
Azure Active Directory Exposes Internal Information - Threat Analysis
A threat actor can gather a significant amount of OSINT from an Azure AD tenant. Microsoft addressed all but two of the issues CTU researchers identified..
🔶 Denonia: The First Malware Specifically Targeting Lambda
The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
#aws
The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
#aws
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
👍3