🔶 AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass
The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail.
https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass
#aws
The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail.
https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass
#aws
🔥6
🔷 Azure Active Directory Flaw Allowed SAML Persistence
A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
#azure
A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
#azure
🔥4
🔷 EmojiDeploy: Smile! Your Azure web service just got RCE’d
A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps.
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced
#azure
A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps.
https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced
#azure
🔥3
🔶 Tampering User Attributes In AWS Cognito User Pools
Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.
https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html
#aws
Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.
https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html
#aws
🔥3
🔶🔴 Provisioning Kubernetes clusters on AWS/GCP with Terraform
Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.
https://learnk8s.io/terraform-gke
#aws #gcp
Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.
https://learnk8s.io/terraform-gke
#aws #gcp
🔥2
🔶 awslabs/iam-roles-anywhere-session
This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.
https://github.com/awslabs/iam-roles-anywhere-session
#aws
This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.
https://github.com/awslabs/iam-roles-anywhere-session
#aws
🔥2
🔴 GoogleCloudPlatform/security-response-automation
Take automated actions on your GCP Security Command Center findings, like:
- Automatically create disk snapshots to enable forensic investigations.
- Revoke IAM grants that violate your desired policy.
- Notify other systems such as PagerDuty, Slack or email.
https://github.com/GoogleCloudPlatform/security-response-automation
#gcp
Take automated actions on your GCP Security Command Center findings, like:
- Automatically create disk snapshots to enable forensic investigations.
- Revoke IAM grants that violate your desired policy.
- Notify other systems such as PagerDuty, Slack or email.
https://github.com/GoogleCloudPlatform/security-response-automation
#gcp
👍1🔥1
🔶 AWS Could Do More About SSO Device Auth Phishing
Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.
https://ramimac.me/aws-device-auth
#aws
Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.
https://ramimac.me/aws-device-auth
#aws
🔥1
🔴 Incident Response in Google Cloud: Forensic Artifacts
This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.
https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts
#gcp
This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.
https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts
#gcp
🔥1
🔷 2023 identity security trends and solutions from Microsoft
Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.
https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft
#azure
Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.
https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft
#azure
🔥1
🔶 Data exfiltration with native AWS S3 features
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.
https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
#aws
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.
https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
#aws
🔥2
🔶 How Adversaries Can Persist with AWS User Federation
CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments.
https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation (open with VPN from Russia)
#aws
CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments.
https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation (open with VPN from Russia)
#aws
🔥1
🔴 Sigstore’s cosign and policy-controller with GKE, Artifact Registry and KMS
Use Sigstore to sign container images and then enforce that only signed containers can run in GKE.
https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
#gcp
Use Sigstore to sign container images and then enforce that only signed containers can run in GKE.
https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
#gcp
🔥1
🔷 Privilege Escalation via storage accounts
Post explaining the risk of storage accounts and how to abuse them for lateral movement.
https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e
#azure
Post explaining the risk of storage accounts and how to abuse them for lateral movement.
https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e
#azure
🔥2
🔶 Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console
Post discussing a weakness in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit.
https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass
#aws
Post discussing a weakness in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit.
https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass
#aws
🔥2
🔷 Know Your App Services Before Your Enemy Does
A look at Azure App Services, security advice, and how to use Azure Resource Graph Explorer and other tools to implement these recommendations.
https://miraisecurity.com/blog/know-your-app-services-before-your-enemy-does
#azure
A look at Azure App Services, security advice, and how to use Azure Resource Graph Explorer and other tools to implement these recommendations.
https://miraisecurity.com/blog/know-your-app-services-before-your-enemy-does
#azure
🔥3
🔷 threatmodel-for-azure-storage
A library of all the attack scenarios on Azure Storage, and how to mitigate them following a risk-based approach.
https://github.com/trustoncloud/threatmodel-for-azure-storage
#azure
A library of all the attack scenarios on Azure Storage, and how to mitigate them following a risk-based approach.
https://github.com/trustoncloud/threatmodel-for-azure-storage
#azure
🔥4
🔶 Updated ebook: Protecting your AWS environment from ransomware
By AWS’s Megan O’Neil and Merritt Baer: The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020.
https://aws.amazon.com/ru/blogs/security/updated-ebook-protecting-your-aws-environment-from-ransomware
#aws
By AWS’s Megan O’Neil and Merritt Baer: The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020.
https://aws.amazon.com/ru/blogs/security/updated-ebook-protecting-your-aws-environment-from-ransomware
#aws
🔥1
🔷 Azure B2C: Crypto Misuse and Account Compromise
Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow.
https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise
#azure
Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow.
https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise
#azure
🔥1
🔶 How Using Deprecated Policies Creates Overprivileged Permissions
AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.
https://permiso.io/blog/s/deprecated-aws-policy-amazonec2roleforSSM
#aws
AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.
https://permiso.io/blog/s/deprecated-aws-policy-amazonec2roleforSSM
#aws
🔥1
🔷 Azure AD Kerberos Tickets: Pivoting to the Cloud
If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised.
https://www.trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud
#azure
If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised.
https://www.trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud
#azure
🔥1