🔶 Access Undenied on AWS

Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.

https://ermetic.com/blog/aws/access-undenied-on-aws

#aws

🔶 Codify your best practices using service control policies

Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.

https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1

#aws

🔶🔷🔴 The Expansion of Malware to the Cloud

Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware

https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware

#aws #azure #gcp

🔷 Azure Active Directory Exposes Internal Information

The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number.

https://www.secureworks.com/research/azure-active-directory-exposes-internal-information

#azure

🔶 Denonia: The First Malware Specifically Targeting Lambda

The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda

#aws

🔶 Incident report: From CLI to console, chasing an attacker in AWS

How the Expel team detected and stopped an unauthorized access in one AWS environment.

https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws

#aws

🔶 AWS Lambda: function URL is live!

AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.

https://lumigo.io/blog/aws-lambda-function-url-is-live

#aws

🔴 Best practices for secure data warehouse in Google Cloud

Introducing a new security blueprint that helps enterprises build a secure data warehouse.

https://cloud.google.com/blog/products/identity-security/best-practices-for-secure-data-warehouse-in-google-cloud

#gcp

🔶 CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client

The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.

https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client

#aws

🔷 Abusing Azure Hybrid Workers for Privilege Escalation - Part 2: An Azure PrivSec Story

The NetSPI team recently discovered a set of issues that allows any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts. In cases where Run As accounts were used, this allowed for a Reader to Contributor privilege escalation path.

https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-part-2

#azure

🔶 AWS RDS Vulnerability Leads to AWS Internal Service Credentials

Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.

https://blog.lightspin.io/aws-rds-critical-security-vulnerability

#aws

🔶 AWS Security Fundamentals

Self-paced course to learn fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured.

https://explore.skillbuilder.aws/learn/course/external/view/elearning/48/aws-security-fundamentals-second-edition

#aws

🔶 Cross-account role trust policies should trust AWS accounts, not roles

A role trust policy that trusts a specific principal suggests that only that source principal has access to it, but it does not control access to that source principal, and so makes it seem like it limits access when it may not.

https://ben11kehoe.medium.com/cross-account-role-trust-policies-should-trust-aws-accounts-not-roles-32737dfeaa03

#aws

🔷 Abusing Azure Container Registry Tasks

How one Azure service supporting DevOps can start in a very solid "secure by default" state, but then quickly descend into a very dangerous configured state.

https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfaa465

#azure

🔴 Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark

What the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments.

https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-threats-to-gcp-using-the-cis-google-cloud-platform-foundation-benchmark%ef%bf%bc

#gcp

🔶 AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation

PaloAlto identified severe security issues within AWS Log4Shell hot patch solutions. This article provides a root cause analysis and overview of fixes and mitigations.

https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities

#aws

🔴 Where's my stuff on GCP?

In 2018 GCP released a feature called Cloud Asset Inventory. It allows one to search for all your resources globally: "$ gcloud asset search-all-resources".

https://medium.com/google-cloud/wheres-my-stuff-on-gcp-4a58badda6cc

#gcp

🔶 Implementing Cloud Governance as a Code using Cloud Custodian

Cloud Custodian enables us to define rules and remediation as one policy to facilitate a well-managed cloud infrastructure.

https://www.infracloud.io/blogs/cloud-governance-code-cloud-custodian

#aws

🔷 "ExtraReplica" - a cross-account database vulnerability in Azure PostgreSQL

Wiz Research has discovered a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server. Dubbed ExtraReplica, this vulnerability allows unauthorized read access to other customers' PostgreSQL databases, bypassing tenant isolation.

https://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql

#azure

🔶 CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions

This post walks through exploiting serverless environments and AWS Lambda functions via the CloudGoat vulnerable_lambda scenario.

https://rhinosecuritylabs.com/cloud-security/cloudgoat-vulnerable-lambda-functions

#aws

🔶 Cloud-Native Ransomware – How attacks on availability leverage cloud services

Paper which outlines the paths a malicious actor might take to affect the availability of data by using the tools provided by Cloud Service Providers, as well as providing architectural patterns to make securing these systems easier and methods for detecting cloud-native ransomware.

https://content.vectra.ai/rs/748-MCE-447/images/WhitePaper_Cloud_Native_Ransomware.pdf

#aws