🔶 When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat
#aws
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat
#aws
👍5❤1🔥1
🔶 Identifying & Reducing Permission Explosion in AWS
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
👍4🔥2👏1
🔶 How to setup geofencing and IP allow-list for Cognito user pool
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
👍3🔥2😱1
🔶 Terraform best practices for reliability at any scale
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
👍3👎1🔥1😱1
🔶 Methods to Backdoor an AWS Account
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData noscripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData noscripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
👍6🔥1👏1
🔶 Pivoting Clouds in AWS Organizations: Examining AWS Security Features and Tools for Enumeration
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
👍3🔥1👏1
🔶 Risk in AWS SSM Port Forwarding
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
👍4🔥1👏1
🔶 Shipping RDS IAM Authentication (with a bastion host & SSM)
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
👍3🔥1😱1
🔷 New zero trust and digital sovereignty controls in Workspace, powered by AI
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
👍4🔥1👏1
🔷 How to Detect When an Azure Guest User Account Is Being Exploited
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
👍2❤1🔥1
🔴 Grafana security update: GPG signing key rotation
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
👍3🔥1😱1
🔶 Authorizing cross-account KMS access with aliases
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
👍3🔥1😱1
🔷 5 Tips to prevent or limit the impact of an incident in Azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subnoscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subnoscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
👍3❤1🔥1
🔶 Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA)
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
👍4🔥1😱1
🔶🔷🔴 New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
👍3🔥1👏1
🔶 Cloud Detection and Response Needs To Break Down Boundaries
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
👍4🔥1👏1
🔶 Lessons from Recent Social Engineering Attacks on Okta Super Admin Accounts
Post exploring the latest Okta security incidents and explaining how to fortify your IAM system against social engineering attacks.
https://acsense.com/blog/okta-super-admin-breach-steps-for-iam-resilience
#aws
Post exploring the latest Okta security incidents and explaining how to fortify your IAM system against social engineering attacks.
https://acsense.com/blog/okta-super-admin-breach-steps-for-iam-resilience
#aws
👍3🔥1👏1
🔶 aws-list-resources
Uses the AWS Cloud Control API to list resources that are present in a given AWS account and region(s).
https://github.com/welldone-cloud/aws-list-resources
#aws
Uses the AWS Cloud Control API to list resources that are present in a given AWS account and region(s).
https://github.com/welldone-cloud/aws-list-resources
#aws
👍2❤1🔥1😱1
🔷 Announcing Notation Azure Key Vault plugin v1.0 for signing container images
The Notary Project is being adopted by Azure Key Vault.
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-notation-azure-key-vault-plugin-v1-0-for-signing/ba-p/3920895
#azure
The Notary Project is being adopted by Azure Key Vault.
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-notation-azure-key-vault-plugin-v1-0-for-signing/ba-p/3920895
#azure
👍3❤1🔥1
🔷 The Azure Metadata Protection You Didn't Know Was There
Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration.
https://ermetic.com/blog/azure/the-azure-metadata-protection-you-didnt-know-was-there/
#azure
Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration.
https://ermetic.com/blog/azure/the-azure-metadata-protection-you-didnt-know-was-there/
#azure
👍4🔥1👏1
🔶 AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.
https://www.gem.security/post/aws-console-session-traceability-how-attackers-obfuscate-identity-through-the-aws-console
#aws
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.
https://www.gem.security/post/aws-console-session-traceability-how-attackers-obfuscate-identity-through-the-aws-console
#aws
👍4🔥1👏1