• tl;dr sec
  • Posts
  • [tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security, Dark Sides of Machine Learning

[tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security, Dark Sides of Machine Learning

How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communication online?

Author

Clint Gibler
January 18, 2023

Hey there,

I hope you’ve been doing well!

Speaking at CloudSec 360 Next Week!

I’m thrilled to be speaking at the CloudSec 360 series, presented by Wiz, on how to scale your company’s security in 2023.

It’s going to be the spiritual successor to my How to 10X Your Security talk, covering some of my favorite posts, talks, and tools I’ve seen since.

In my usual style, it’ll be quite the montage of content 😅 Here’s a preview:

CloudSec 360 has a number of other great talks and panels from industry leaders as well.

Hope to see you there!

Sponsor

 📢 Discover and classify sensitive cloud data

"I work with Open Raven daily. It's my bible." - John Clave, Information Security Compliance Manager.

Learn how TaskUs traded uncertainty for confidence by using Open Raven for visibility and control of sensitive data and slashed data breach risk.

Open Raven - Secure, customizable, and budget-safe data security that just works.

📜 In this newsletter...

  • Web Security: GraphQL exploitation guide, OGNL Injection Decoded

  • AppSec: Dump proto files from binaries, SQL injection resources, leaking secrets From GitHub Actions, improve GitHub Actions OIDC security posture with custom issuer, XML Security in Java

  • Cloud Security: Hunting for signs of persistence in the cloud, reason about IAM with Z3, four ways to phish in AWS, 5 workshops from AWS CIRT, Incident report: stolen AWS access keys, hunting for Amazon Cognito security misconfigurations

  • Container Security: Debug Kubernetes errors with ChatGPT, debug Kubernetes apps with eBPF, cloud native and Kubernetes security predictions 2023, tool to directly patch containers

  • Blue Team: What can we learn to guide our security programs in 2023?

  • Misc: Discover the best graduation speeches, David Bombal interviews Rachel Tobac, behind the scenes on John Hammond's YouTube channel, Zombiecorns

  • Dark Sides of Machine Learning: LLMs: a bleak future ahead?

Web Security

GraphQL exploitation – All you need to know
Cybervelia’s Theodoros Danos gives an overview of GraphQL, common vulnerabilities to test for, useful tools, and more.

OGNL Injection Decoded
Great deep dive by The SecOps Group’s Aditya Singh on Object Graph Navigation Language (OGNL) injection. He discusses the vulnerability details, prerequisites, attack vectors, how the vulnerability works in the background, recommendations, practice labs, and more.

I like how he walks through a number of prior real world critical (pre-auth RCE) OGNL vulnerabilities that have been discovered.

Sponsor

📢 Malware Injection Detection in Less Than 180 Seconds

Architected specifically to observe any unauthorized change to how a system operates, Crytica's detection engine is efficient enough to continuously scan a system's entire internal infrastructure; providing rapid electronic notifications, within seconds, of all detection alerts.

Crytica can scan hundreds of thousands of files on a device in mere minutes, while consuming only minimal resources and without disrupting normal device or server operations. Crytica does not rely on historical data, previously identified malware, or behavioral patterns. Instead, it is optimized to detect previously unknown, zero-day infections.

AppSec

arkadiyt/protodump
A utility to dump all Protobuf file descriptors from a given binary as *.proto files, by Arkadiy Tetelman.

SQL Injection Thread by Intigriti
Nice overview by Intigriti with hands-on labs, cheatsheets, videos, tools, prevention, etc.

Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
If you have command injection in a GitHub Action workflow, Karim Rahal walks through different ways to steal secrets.

Improve GitHub Actions OIDC security posture with custom issuer
If you use GitHub Enterprise Cloud, Aidan Steele describes how AWS org admins can lock down role creation to only your GitHub Enterprise, making use of GitHub Actions OIDC safer.

XML Security in Java
r2c’s Pieter De Cremer and Vasilii Ermilov did a deep dive into 10 different Java classes that support parsing XML, and found that using them securely has tons of subtleties, and sometimes security features don’t work as documented! This is probably the most thorough single piece on Java XML security I’ve seen. They’ve written a set of Semgrep rules to detect insecure configurations.

Cloud Security

Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident
Wiz’s Lior Sonntag shares how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident.

WithSecureLabs/IAMSpy
By WithSecure: A library that utilises the Z3 prover to attempt to answer questions about AWS IAM. It can “load” a variety of IAM policies and convert them to generate Z3 constraints and a model, from which queries can be made on identifying whether actions are allowed or not.

This is super cool, but also, if you require a theorem prover to understand your acess control model, maybe… it’s too complex? 😅 

AWS Phishing: Four Ways
Figma’s Rami McCarthy describes four AWS-specific phishing vectors: credential phishing, device authentication phishing, CloudFormation Stack phishing, and ACM email validation phishing, plus tons of actionable prevention and detection resources. Excellent read.

AWS CIRT announces the release of five publicly available workshops
The workshops simulate security events to help you learn the tools and procedures that AWS CIRT uses. The workshops cover AWS services and tools, such as GuardDuty, CloudTrail, CloudWatch, Athena, and AWS WAF, as well as some open source tools.

  • Unauthorized IAM Credential Use

  • Ransomware on S3

  • Cryptominer Based Security Events

  • SSRF on IMDSv1

  • AWS CIRT Toolkit For Automating Incident Response Preparedness

Incident report: stolen AWS access keys
Nice walkthrough by Expel on how they got an initial lead that something was off (unexpected Kali Linux user agent and IP address), did a root cause analysis, and figured out what other accounts had been compromised.

Common activity is our best friend. Any single environment will have patterns that line up with the daily activity of its admins and users. Attackers won’t know these patterns and will stand out. Knowing your organization’s patterns will help you see attackers.

 

Hunting for Amazon Cognito Security misconfigurations
NahamCon EU 2022 presentation by Yassine Aboukir discussing a few common security misconfigurations that affect Amazon Cognito implementations plus techniques and methods to test for them.

Container Security

robusta-dev/kubernetes-chatgpt-bot
A ChatGPT bot for Kubernetes issues by Robusta’s Natan Yellin. Ask ChatGPT how to solve your Prometheus alerts, get pithy responses.

inspektor-gadget/inspektor-gadget
A tool for introspecting and debugging Kubernetes applications using eBPF “gadgets.” It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, and automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information.

Cloud Native and Kubernetes Security Predictions 2023
Some interesting predictions from ControlPlane’s Andrew Martin across a number of areas. An enjoyable read. Some that stuck out to me:

  • Kubernetes RBAC and security complexity continues to intensify

  • AI and ML will be harnessed by attackers more effectively than defenders

  • Automated defensive remediation will continue to grow slowly

  • eBPF technology powers all new connectivity, security, and observability projects

  • Linux Kernel ships its first Rust module

  • Serverside webassembly tooling starts to proliferate after Docker’s alpha driver

project-copacetic/copacetic
A CLI tool for directly patching container images using reports from vulnerability scanners. No need to go upstream for a full rebuild or wait for base image updates.

Blue Team

What can we learn to guide our security programs in 2023?
Jason Haddix shares observations and recommendations from breach writeups and his conversations with other CISOs about their experiences in 2022.

Misc

Discover the Best Graduation Speeches
A curated list of the best commencement speeches, from people like Jeff Bezos, Steve Jobs, Bill Gates, Obama, etc.

This thread by John Hammond is awesome. I love the level of transparency, super interesting. Hats off to an awesome year of creating, and all the best in 2023!

I’ve been closely following the cybersecurity market since 2013, when I became an industry analyst at 451 Research, and I can safely say that June 2022 is the most bizarre month I’ve ever seen. June announced both three new cybersecurity unicorns and 1500 employees laid off from 9 cybersecurity vendors in the same month.

Prior to 2020, a typical startup would raise every 18 months. Many were encouraged to burn that money by the end of the 18 month period to maximize growth and momentum in the market. By 2021, we saw the time between fundraising rounds shrink to 12, 9, or even 6 months. In the case of Island, the company raised a $115M Series B weeks after announcing a $100M Series A and coming out of stealth in early 2022. They didn’t stop there, announcing a $60M Series B extension last month.

My guess is at least half of the 50 unicorns we had earlier this year are zombies and will never realize those valuations.

Dark Sides of Machine Learning

You thought the first page of Google was bunk before? You haven’t seen Google where SEO optimizer bros pump out billions of perfectly coherent but predictably dull informational articles for every longtail keyword combination under the sun.

Marketers, influencers, and growth hackers will set up OpenAI → Zapier pipelines that auto-publish a relentless and impossibly banal stream of LinkedIn #MotivationMonday posts, “engaging” tweet 🧵 threads, Facebook outrage monologues, and corporate blog posts.

After the forest expands, we will become deeply sceptical of one another’s realness. Every time you find a new favourite blog or Twitter account or Tiktok personality online, you’ll have to ask: Is this really a whole human with a rich and complex life like mine? Is there a being on the other end of this web interface I can form a relationship with?

I suspect that barring urgent intervention, within two decades, most of interactions on the internet will be fake.

There are powerful incentives to use LLMs to generate inauthentic content on an unprecedented scale — and there are no technical defenses in sight. Further, one of the most plausible beneficial uses of LLMs might have the side effect of discouraging the creation of new organic content on the internet.

Businesses already do covert marketing: paid product placement, astroturfing on Reddit, fake reviews, etc. Governments and political agencies do similar.

Currently they’re limited by cost, but now LLMs can create millions of human-like personas appearing to live complex online lives who are only there to advance your goal.

Scams and spear phishing campaigns would reach new levels if one could perfectly tailor the communications to their marks’ professional and social backgrounds, and do so millions of times per day. Again, this is not science fiction: ChatGPT is already capable of “style transfer” that flawlessly adjusts the message to a person’s background. Its developers try to detect overtly malicious uses, but self-hosted implementations will be free of such constraints.

When it comes to the beneficial uses of LLMs, it is nearly a given that we will learn to depend on ChatGPT-style digital assistants to instantly retrieve, summarize, and apply the sum of human knowledge to any problem at hand. Some commentators raise concerns about accuracy, but I’m not buying that; the revolution is likely to happen even if Microsoft Clippy 2.0 occasionally makes a mistake or two.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint