• tl;dr sec
  • Posts
  • [tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security, Red Team Resources

[tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security, Red Team Resources

Detailed threat models for Google Cloud Storage and Azure Storage, Mac malware of 2022 and emerging payload obfuscation techniques, reverse engineering Rust binaries, offensive security and RE course, and more.

Author

Clint Gibler
February 08, 2023

Hey there,

I hope you’ve been doing well!

Semgrep in EU

I was a bit sleepy when I was finishing the newsletter last week (he says, as if he doesn’t finish tl;dr sec late every Wednesday evening 😅), and I realized some of it was unclear.

  • Tuesday Feb 14 in Dublin: Happy Hour Mixer with Jit

  • Monday Feb 20 in London: Expert Panel on scaling security programs and running effective AppSec/ProdSec teams

Unfortunately I will not be able to attend, but you can meet awesome colleagues of mine. Like the man, the myth, the legend: Lewis Ardern, as well as Santander Bank’s Daniel Cuthbert, LSEG’s Amanvir Sangha, and NCC Group’s Minali Arora.

Sidenote: Lewis did not know I’d be writing this and will probably blush and/or berate me via DM tomorrow, but this is what you can do with full editorial power, muahaha!

Sponsor

 📢 Security leaders need to know these strategies for multi-cloud environments 

Business continuity, workload resilience, and innovation. How can security leaders shape a multi-cloud security strategy that works with the business to accelerate innovation while also protecting the confidentiality, integrity, and availability of workloads and data? Wherever you are on your cloud journey, SentinelOne can help you refine the multi-cloud security strategy your business needs to go faster, securely.

📜 In this newsletter...

  • Lists of Tools: offsec.tools, Open Source Security Index

  • Security Newsletters: Security Pills, Security Funded, Unsupervised Learning, CloudSecList

  • Web Security: Nagli on bypassing limited SSRF or overcoming regexes, Jason Haddix's workflow for JavaScript analysis, Semgrep in Burp Suite, finding black box regex bugs in web apps

  • Cloud Security: Sysdig's large scale of container security issues, threat models for Google Cloud Storage and Azure Storage

  • Container Security: Tool to exploit k8s cluster misconfigs, enhancing Kubernetes security with user namespaces

  • Red Team: Reverse engineering Rustlang binaries, offensive security & reverse engineering course, Sliver vs Havoc, phishing tool that bypasses most MFA

  • MacOS: The Mac Malware of 2022, macOS payloads obfuscation techniques, .pkg signature verification bypass on macOS, restoring dyld memory loading

  • Misc: Path to a free self-taught CS education, interesting thoughts and threads from Wait But Why's Tim Urban, the four horsemen of the tech recession, reflecting on the tech layoff cycle

Lists of Tools

offsec.tools
A vast collection of security tools for bug bounty, pentest and red teaming. Search by tag, category, or text.

Open Source Security Index
The most popular & fastest growing open source security projects on GitHub. Shows the breakdown by language, license, and for each repo: number of stars, contributors, watchers, commits, forks, license, etc.

Sponsor

 📢 Compliance doesn’t have to be complicated 

With Vanta, it can be simple. Vanta's platform provides connective software to streamline and automate creating, maintaining, and proving your organization's security posture through compliance standards like SOC 2, HIPAA, ISO 27001, and Vanta's Trust Report.

Automate your security and compliance to save up to 400 hours and 85% of costs. With Vanta, you can win more deals and enable growth quickly, easily, and without breaking the bank.

Check out this on-demand demo to learn why 4,000+ fast-growing companies chose Vanta as their trusted partner.

Security Newsletters

I wanted to highlight two up-and-coming security newsletters that I’m a fan of and read every week, in case you haven’t heard about them yet.

Security Pills
This newsletter by Sebas Guerrero covers AppSec, web security, and more, with a big focus on smart contracts/web3/etc. Sebas is definitely a man after my own heart in the way he describes the links he includes, super useful.

Security, Funded
I’ve called out Mike Privette’s newsletter before because it’s such a great way to keep on top of which security companies are getting funded, acquired, and other useful trends.

A few other excellent newsletters I read:

 Web Security

Nagli on bypassing limited SSRF or overcoming regexes
Try repl.it- easily spin up an endpoint that you can code to serve arbitrary headers.

Jason Haddix’s workflow for JavaScript analysis
Tons of tools and methodology to find juicy hidden endpoints, parameters, & domains buried JS.

gand3lf/semgrepper
A Burp extension by @gand3lf to use Semgrep inside Burp Suite, for example, to scan client-side JavaScript with Semgrep as an additional passive scanner.

Till REcollapse: Fuzzing the Web for Mysterious Bugs by @0xacb
NahamCon 2022 EU talk by Ethiack’s André Baptista on using black box regex fuzzing to bypass validations and discover normalization issues in web applications. Very cool work. I previously called out André’s work and the REcollapse tool in tl;dr sec #160.

Cloud Security

Misconfiguration and vulnerabilities biggest risks in cloud security
Report by Sysdig based on analyzing >7M containers their customers are running daily as well as public data sources such as GitHub, Docker Hub, and the CNCF.

  • ~87% of container images include a high or critical vulnerability

  • Only 15% of critical and high vulnerabilities with an available fix are in packages loaded at runtime.

  • Java packages were responsible for 61% of the more than 320,000 vulnerabilities in running packages. Java packages make up 24% of the packages loaded at runtime.

  • Only 10% of permissions granted to non-admin users were utilized when analyzed over a 90-day window.

  • More than 98% of permissions granted to non-human identities have not been used for at least 90 days.

Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
NCC Group’s Ken Wolstencroft describes the key features and security controls of Google Cloud Storage, lists potential threats from the viewpoint of STRIDE, and concludes with threat mitigation recommendations.

The last Azure Storage security document that we’ll ever need and how to use it
130+ page threat model for Azure Storage by TrustOnCloud’s Tyson Garrett covering:

  1. Best practices (best security/effort ratio)

  2. Reviewing the service depending on your application(s) and implementing the controls based on your risk tolerance

  3. Understanding threats related to a specific feature class

Container Security

Rolix44/Kubestroyer
By Rolix: A Golang tool that aims to exploit Kubernetes clusters misconfigurations. It scans known Kubernetes ports that can be exposed as well as exploits them.

Enhancing Kubernetes security with user namespaces
Kubernetes v1.25 introduced alpha support for Linux user namespaces (userns), which can be an additional isolation layer that improves host security and prevents many known container escape scenarios. Wiz’s Shay Berkovich and Arik Nemtsov discuss potential uses, limitations, and best practices to enhance cluster security.

Red Team

Reverse Engineering Rustlang Binaries - A Series
Five part article series by Siddharth Mishra detailing his journey in reverse engineering Rust binaries. The series covers topics such as the structure of empty Rust binaries, how the printf function works at a low level, and how Rust stores variables and passes them as arguments for use.

Offensive Security & Reverse Engineering Course
Ali Hadi has open-sourced his Offensive Security and Reverse Engineering course (slides, notes, labs, videos) that he taught at Champlain College during the spring of 2021. The course covers a range of topics including: bug hunting and fuzzing, memory corruption and buffer overflows, Metasploit, return oriented programming (ROP), post exploitation, and more.

Sliver vs Havoc
Matt Culbert writes about two well-known adversary emulation (i.e. command and control) frameworks and objectively compares them. Matt takes an empirical approach to answer questions such as why you might want one over the other, how easy they are to use, and the potential for expanding their functionality with new features.

jackmichalak/phishim
A phishing tool that bypasses most types of MFA by proxying at the user-interaction level rather than the traffic level. It spins up a Puppeteer browser on the server that the victim unknowingly interacts with and then forwards screenshots down to the victim’s browser and forwards interactions up to the server. A clever approach that has been found effective for many of the most common MFA solutions, except for those ones that authenticate the URL in the browser, such as WebAuthn.

MacOS

The Mac Malware of 2022
Objective-See’s Patrick Wardle has published an annual report that comprehensively covers all the new malware targeting macOS during the past 2022, ranging from coin miners to stealthy and complex implants.

macOS Payloads | 7 Prevalent and Emerging Obfuscation Techniques
SentinelOne’s Phil Stokes explores the most popular and emerging techniques used by threat actors to compromise a macOS system, such as hidden and obfuscated scripts and Sliver implants.

Bad things come in large packages: .pkg signature verification bypass on macOS
Sector 7 has reported a security issue affecting the code signing process on macOS. A type confusion issue on the checks done to the cryptographic signatures of installer packages could be exploited to bypass SIP’s filesystem restrictions and Gatekeeper, potentially obtaining root access under certain conditions.

Restoring Dyld Memory Loading
TrustedSec’s Adam Chester examines the recent changes introduced in dyld’s code and their impact on red team operations, as Mach-O bundles that were loaded in-memory now persist on disk. He explores how to revert these changes and reimplement memory loading on macOS to keep payloads out of the reach of the blue team.

Misc

ossu/computer-science
Path to a free self-taught education in Computer Science.

22 thoughts from 2022 I’d like to take into 2023
Thread by Tim Urban (Wait But Why).

22 tweets from 2022 that might blow your mind
Another thread by Tim Urban (Wait But Why), starting with what a water droplet looks like at 6,000fps.

The Four Horsemen of the Tech Recession
By Stratechery’s Ben Thompson: The COVID Hangover, The Hardware Cycle, The End of Zero Interest Rates, and The Apple’s App Tracking Transparency (ATT) Recession.

Forces of nature, designs of man
Michal Zalewski reflects on multiple cycles of tech layoffs.

I want to be angry, but I’m struggling to pin the blame. I feel that tech companies are stuck in a cycle they can’t escape. In the good years, the newcomers know they need to grow at any cost: when you’re small, Google or Facebook can throw a thousand engineers at your problem space and eat your lunch. For a Silicon Valley startup, the #1 priority is to get big enough not to be easy prey.

As for the big players, they’re acting rationally too. They remember the titans of yesteryear - Xerox, Sun Microsystems… The companies realize they can’t keep growing their existing revenue streams for much longer. They see regulators breathing down their necks and disruptive products coming out of left field. So they keep throwing money at whatever they can, in hopes of coming up with the next big idea — a desperate bid for corporate immortality.

As tech workers, we’re complicit too. We don’t want to miss out: at internal Q&As, we pepper executives with demands for fast-growing stock rewards, rapid promotion opportunities, and relentless growth. I’ve been asked countless times for career advice. My opening line — “don’t live paycheck to paycheck” — is usually greeted with an eyeroll.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint