🔷 Abusing Azure Hybrid Workers for Privilege Escalation - Part 1
Azure Hybrid Workers can be configured to use Automation Account "Run as" accounts, which can expose the credentials to anyone with local administrator access to the Hybrid Worker. Since "Run as" accounts are typically subscription contributors, this can lead to privilege escalation from multiple Azure Role-Based Access Control (RBAC) roles.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-for-privilege-escalation
#azure
Azure Hybrid Workers can be configured to use Automation Account "Run as" accounts, which can expose the credentials to anyone with local administrator access to the Hybrid Worker. Since "Run as" accounts are typically subscription contributors, this can lead to privilege escalation from multiple Azure Role-Based Access Control (RBAC) roles.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-for-privilege-escalation
#azure
NetSPI
Abusing Azure Hybrid Workers for Privilege Escalation – Part 1
Configure Windows VMs in Azure for Hybrid Workers with "Run as" certificates. Check out this post for step-by-step guidance and tips.
🔶 aws | ClickOops
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts.
https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3
#aws
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts.
https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3
#aws
Medium
aws | ClickOops
If you’ve been working in AWS for long enough, you will know that nothing good comes from configuring resources in the console aka…
🔷 A goat in the boat: a look at how Defender for Containers protects your clusters
Article exploring and testing Defender for Containers against a vulnerable environment and see what it can detect or prevent.
https://guillaumeben.xyz/defender-containers.html
#azure
Article exploring and testing Defender for Containers against a vulnerable environment and see what it can detect or prevent.
https://guillaumeben.xyz/defender-containers.html
#azure
🔶 Fantastic AWS Hacks and Where to Find Them
Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.
https://docs.google.com/presentation/d/1WIg9Zctp7emuEgnehArUEwvkHSpC6JOi7ojejMX6L_s/edit#slide=id.g118f683adf8_0_43
#aws
Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.
https://docs.google.com/presentation/d/1WIg9Zctp7emuEgnehArUEwvkHSpC6JOi7ojejMX6L_s/edit#slide=id.g118f683adf8_0_43
#aws
🔴 Google Cloud Storage Explorer: Enumerating Google Cloud’s Bucket Access Permissions
The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.
https://orca.security/resources/blog/google-cloud-platform-storage-explorer
#gcp
The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.
https://orca.security/resources/blog/google-cloud-platform-storage-explorer
#gcp
Orca Security
GCP Storage Vulnerability: GCP Buckets | Orca Research Pod
Attackers can detect which compute engine instances could expose storage data in its Google Cloud project scope by enumerating GCP bucket access permissions.
🔷 Azure Dominance Paths
A comprehensive map of Azure and Azure AD attack paths.
https://cloudbrothers.info/en/azure-dominance-paths
#azure
A comprehensive map of Azure and Azure AD attack paths.
https://cloudbrothers.info/en/azure-dominance-paths
#azure
🔥1
🔶🔷🔴 What to look for when reviewing a company's infrastructure
A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.
https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review
#aws #azure #gcp
A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.
https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review
#aws #azure #gcp
🔶 Automated Incident Response and Forensics Framework
A framework which aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.
https://github.com/awslabs/aws-automated-incident-response-and-forensics
#aws
A framework which aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.
https://github.com/awslabs/aws-automated-incident-response-and-forensics
#aws
GitHub
GitHub - awslabs/aws-automated-incident-response-and-forensics
Contribute to awslabs/aws-automated-incident-response-and-forensics development by creating an account on GitHub.
🔷 Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs.
https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365 (use VPN if you are from Russia)
#azure
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs.
https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365 (use VPN if you are from Russia)
#azure
crowdstrike.com
CrowdStrike Services Identifies Microsoft 365 Logging Inconsistencies
Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs. Read this blog to learn more.
👍1
🔴 New Privilege Escalation Techniques that Might Compromise Your Google Cloud Platform
Some common attack techniques that an attacker can use to exploit your Google Cloud Platform (GCP) environment, gain permissions, and steal information via services like Dataproc, Dataflow, and Composer.
https://medium.com/xm-cyber/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform-3b0ca78e6b6b
#gcp
Some common attack techniques that an attacker can use to exploit your Google Cloud Platform (GCP) environment, gain permissions, and steal information via services like Dataproc, Dataflow, and Composer.
https://medium.com/xm-cyber/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform-3b0ca78e6b6b
#gcp
Medium
New Privilege Escalation Techniques that Might Compromise Your Google Cloud Platform
Written by Idan Strovinsky & Zur Ulianitzky — March 28,2022
🔶 Access Undenied on AWS
Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.
https://ermetic.com/blog/aws/access-undenied-on-aws
#aws
Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.
https://ermetic.com/blog/aws/access-undenied-on-aws
#aws
Twitter
Noam Dahan (@NoamDahan) / X
Cloud security researcher @ErmeticSec, European Universities Debating Champion. My 5th grade teacher said I was disruptive.
🐘 noamdahan@infosec.exchange
🐘 noamdahan@infosec.exchange
🔶 Codify your best practices using service control policies
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.
https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1
#aws
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.
https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1
#aws
🔶🔷🔴 The Expansion of Malware to the Cloud
Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware
https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware
#aws #azure #gcp
Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware
https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware
#aws #azure #gcp
Complete Cloud Security in Minutes - Orca Security
Malware on Cloud: Linux, Database, Cryptomining & Ransomware
An overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware. Learn more!
🔷 Azure Active Directory Exposes Internal Information
The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number.
https://www.secureworks.com/research/azure-active-directory-exposes-internal-information
#azure
The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number.
https://www.secureworks.com/research/azure-active-directory-exposes-internal-information
#azure
Sophos
Azure Active Directory Exposes Internal Information - Threat Analysis
A threat actor can gather a significant amount of OSINT from an Azure AD tenant. Microsoft addressed all but two of the issues CTU researchers identified..
🔶 Denonia: The First Malware Specifically Targeting Lambda
The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
#aws
The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
#aws
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
👍3
🔶 Incident report: From CLI to console, chasing an attacker in AWS
How the Expel team detected and stopped an unauthorized access in one AWS environment.
https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws
#aws
How the Expel team detected and stopped an unauthorized access in one AWS environment.
https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws
#aws
Expel
Incident report: From CLI to console, chasing an attacker in AWS
Our SOC detected and stopped unauthorized access in one of our customer’s AWS environments. Here’s how we spotted it, the steps we took to understand what they did, lessons learned and key takeaways.
🔶 AWS Lambda: function URL is live!
AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.
https://lumigo.io/blog/aws-lambda-function-url-is-live
#aws
AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.
https://lumigo.io/blog/aws-lambda-function-url-is-live
#aws
Lumigo
AWS Lambda: function URL is live! - Lumigo
AWS announced the release of the Lambda Function URLs feature today. In this post, I describe what it is, how it works, and how you can benefit from it. API Gateway and AWS Lambda is a potent combination and lets you build REST APIs without having to worry…
🔴 Best practices for secure data warehouse in Google Cloud
Introducing a new security blueprint that helps enterprises build a secure data warehouse.
https://cloud.google.com/blog/products/identity-security/best-practices-for-secure-data-warehouse-in-google-cloud
#gcp
Introducing a new security blueprint that helps enterprises build a secure data warehouse.
https://cloud.google.com/blog/products/identity-security/best-practices-for-secure-data-warehouse-in-google-cloud
#gcp
Google Cloud Blog
Best practices for secure data warehouse in Google Cloud | Google Cloud Blog
Introducing our new security blueprint that helps enterprises build a secure data warehouse.
👍2
🔶 CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client
#aws
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client
#aws
Rhino Security Labs
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.
🔥4
🔷 Abusing Azure Hybrid Workers for Privilege Escalation - Part 2: An Azure PrivSec Story
The NetSPI team recently discovered a set of issues that allows any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts. In cases where Run As accounts were used, this allowed for a Reader to Contributor privilege escalation path.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-part-2
#azure
The NetSPI team recently discovered a set of issues that allows any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts. In cases where Run As accounts were used, this allowed for a Reader to Contributor privilege escalation path.
https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-part-2
#azure
NetSPI
Abusing Azure Hybrid Workers for Privilege Escalation – Part 2: An Azure PrivEsc Story
Learn about a serious Azure security issue in this two-part blog series from NetSPI. Discover how attackers can abuse an internal API to poll automation account data.
👍1
🔶 AWS RDS Vulnerability Leads to AWS Internal Service Credentials
Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.
https://blog.lightspin.io/aws-rds-critical-security-vulnerability
#aws
Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.
https://blog.lightspin.io/aws-rds-critical-security-vulnerability
#aws
🔥3