🔶 Cloud Cred Harvesting Campaign

A credential harvesting campaign targeting cloud infrastructure. The majority of the victim system were running public facing Juptyer Notebooks.

https://permiso.io/blog/s/christmas-cloud-cred-harvesting-campaign

#aws

🔷 State of Azure IAM 2022

Azure IAM has seen major growth with 2710 new permissions and 60 new built-in roles added in 2022.

https://davidokeyode.medium.com/state-of-azure-iam-2022-512e66881128

#azure

🔶 Cloud penetration testing: Not your typical internal penetration test

A funny post where the author shares the stages of ignorance and awareness they encountered, so to help others progress through the early stages more quickly than they did.

https://sethsec.blogspot.com/2022/12/cloud-penetration-testing-not-your.html?m=1

#aws

🔶 Taking The New Secrets Manager Lambda Extension For a Spin

Aquia’s Dakota Riley compares the performance of the Secrets Manager Lambda Extension vs using the SDK directly for secrets retrieval.

https://blog.aquia.us/blog/2023-01-01-secrets-manager-lambda-extension

#aws

🔶 AWS Phishing: Four Ways

Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing.

https://ramimac.me/aws-phishing

#aws

🔶 SES-pionage

What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.

https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse

#aws

🔶🔷🔴 Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident

Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident.

https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide

#aws #azure #gcp

🔶 Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2

Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised.

https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials

#aws

🔶 Cedar: A new policy language

Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it.

https://onecloudplease.com/blog/cedar-a-new-policy-language

#aws

🔴 SSH key injection in Google Cloud Compute Engine

A bug which had the impact of a single-click RCE in a victim user's Compute Engine instance.

https://blog.stazot.com/ssh-key-injection-google-cloud

#gcp

🔷 Unauthenticated SSRF Vulnerability on Azure Functions

How the Orca Security team uncovered an SSRF Vulnerability in the Azure Functions app, allowing any unauthenticated user to request any URL by abusing the server.

https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app

#azure

🔶 AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass

The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail.

https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass

#aws

🔷 Azure Active Directory Flaw Allowed SAML Persistence

A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application.

https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence

#azure

🔷 EmojiDeploy: Smile! Your Azure web service just got RCE’d

A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps.

https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced

#azure

🔶 Tampering User Attributes In AWS Cognito User Pools

Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.

https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html

#aws

🔶🔴 Provisioning Kubernetes clusters on AWS/GCP with Terraform

Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.

https://learnk8s.io/terraform-gke

#aws #gcp

🔶 awslabs/iam-roles-anywhere-session

This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.

https://github.com/awslabs/iam-roles-anywhere-session

#aws

🔴 GoogleCloudPlatform/security-response-automation

Take automated actions on your GCP Security Command Center findings, like:

- Automatically create disk snapshots to enable forensic investigations.
- Revoke IAM grants that violate your desired policy.
- Notify other systems such as PagerDuty, Slack or email.

https://github.com/GoogleCloudPlatform/security-response-automation

#gcp

🔶 AWS Could Do More About SSO Device Auth Phishing

Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.

https://ramimac.me/aws-device-auth

#aws

🔴 Incident Response in Google Cloud: Forensic Artifacts

This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.

https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts

#gcp

🔷 2023 identity security trends and solutions from Microsoft

Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.

https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft

#azure