🔶 AWS Phishing: Four Ways
Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing.
https://ramimac.me/aws-phishing
#aws
Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing.
https://ramimac.me/aws-phishing
#aws
🔥1
🔶 SES-pionage
What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.
https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse
#aws
What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.
https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse
#aws
🔥2
🔶🔷🔴 Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident
Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident.
https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide
#aws #azure #gcp
Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident.
https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide
#aws #azure #gcp
🔥3
🔶 Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2
Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised.
https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials
#aws
Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised.
https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials
#aws
🔥4
🔶 Cedar: A new policy language
Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it.
https://onecloudplease.com/blog/cedar-a-new-policy-language
#aws
Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it.
https://onecloudplease.com/blog/cedar-a-new-policy-language
#aws
🔥3
🔴 SSH key injection in Google Cloud Compute Engine
A bug which had the impact of a single-click RCE in a victim user's Compute Engine instance.
https://blog.stazot.com/ssh-key-injection-google-cloud
#gcp
A bug which had the impact of a single-click RCE in a victim user's Compute Engine instance.
https://blog.stazot.com/ssh-key-injection-google-cloud
#gcp
🔥3
🔷 Unauthenticated SSRF Vulnerability on Azure Functions
How the Orca Security team uncovered an SSRF Vulnerability in the Azure Functions app, allowing any unauthenticated user to request any URL by abusing the server.
https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app
#azure
How the Orca Security team uncovered an SSRF Vulnerability in the Azure Functions app, allowing any unauthenticated user to request any URL by abusing the server.
https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app
#azure
🔥3
🔶 AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass
The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail.
https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass
#aws
The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail.
https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass
#aws
🔥6
🔷 Azure Active Directory Flaw Allowed SAML Persistence
A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
#azure
A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
#azure
🔥4
🔷 EmojiDeploy: Smile! Your Azure web service just got RCE’d
A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps.
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced
#azure
A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps.
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced
#azure
🔥3
🔶 Tampering User Attributes In AWS Cognito User Pools
Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.
https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html
#aws
Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.
https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html
#aws
🔥3
🔶🔴 Provisioning Kubernetes clusters on AWS/GCP with Terraform
Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.
https://learnk8s.io/terraform-gke
#aws #gcp
Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.
https://learnk8s.io/terraform-gke
#aws #gcp
🔥2
🔶 awslabs/iam-roles-anywhere-session
This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.
https://github.com/awslabs/iam-roles-anywhere-session
#aws
This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.
https://github.com/awslabs/iam-roles-anywhere-session
#aws
🔥2
🔴 GoogleCloudPlatform/security-response-automation
Take automated actions on your GCP Security Command Center findings, like:
- Automatically create disk snapshots to enable forensic investigations.
- Revoke IAM grants that violate your desired policy.
- Notify other systems such as PagerDuty, Slack or email.
https://github.com/GoogleCloudPlatform/security-response-automation
#gcp
Take automated actions on your GCP Security Command Center findings, like:
- Automatically create disk snapshots to enable forensic investigations.
- Revoke IAM grants that violate your desired policy.
- Notify other systems such as PagerDuty, Slack or email.
https://github.com/GoogleCloudPlatform/security-response-automation
#gcp
👍1🔥1
🔶 AWS Could Do More About SSO Device Auth Phishing
Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.
https://ramimac.me/aws-device-auth
#aws
Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.
https://ramimac.me/aws-device-auth
#aws
🔥1
🔴 Incident Response in Google Cloud: Forensic Artifacts
This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.
https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts
#gcp
This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.
https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts
#gcp
🔥1
🔷 2023 identity security trends and solutions from Microsoft
Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.
https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft
#azure
Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.
https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft
#azure
🔥1
🔶 Data exfiltration with native AWS S3 features
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.
https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
#aws
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.
https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
#aws
🔥2
🔶 How Adversaries Can Persist with AWS User Federation
CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments.
https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation (open with VPN from Russia)
#aws
CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments.
https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation (open with VPN from Russia)
#aws
🔥1
🔴 Sigstore’s cosign and policy-controller with GKE, Artifact Registry and KMS
Use Sigstore to sign container images and then enforce that only signed containers can run in GKE.
https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
#gcp
Use Sigstore to sign container images and then enforce that only signed containers can run in GKE.
https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
#gcp
🔥1
🔷 Privilege Escalation via storage accounts
Post explaining the risk of storage accounts and how to abuse them for lateral movement.
https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e
#azure
Post explaining the risk of storage accounts and how to abuse them for lateral movement.
https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e
#azure
🔥2