[tl;dr sec] #131 - Compromising Read-Only Containers, Finding 0days in Enterprise Software, Evading Industry Leading EDR
A walkthrough of how to attack read-only containers, Shubham Shah on taking apart complex proprietary software, how your shellcode can evade top EDR products.
I hope you’ve been doing well!
I’ve very excited to be speaking at a few events over the next few months. Feel free to come say hi! I’ll be carrying bountiful stickers to share 😀
First, I’m giving a workshop at BSidesSF on June 4th on Finding Bugs and Scaling Your Security Program with Semgrep. Unfortunately I think it’s already sold out, but I’m seeing if I can get more space.
My colleagues Colleen and Grayson are also speaking at BSidesSF on The power of guardrails: How to slash your risk of XSS in half on some really cool research we did on actually measuring quantitatively, in practice what many of us intuitively believe: that secure defaults / secure “guardrails” / “paved road” practices are very high leverage security team pursuits.
Second, I’m speaking at LocoMocoSec on June 29th on a methodology for embracing and rolling out secure guardrails in your company to kill bug classes.
I’ve gotten a sign from the universe that these are all going to be good.
How do I know? I was walking around Lake Merritt recently, wearing one of my BSidesSF t-shirts, and a random guy I passed started freestyle rapping about it, “Yo check it, it’s the- the- B-B-B-BSides, BSides, …” True story 🤣
📢 Datadog On-Demand Webinar: DevSecOps Maturity Model - How to Benchmark your Organization
In this on-demand webinar, join Datadog and special guest Tanya Janca from We Hack Purple in discussion on best practices for addressing the increasing need to infuse Security practices throughout the SDLC and embrace a DevSecOps culture.
Learn the answers to:
Where is my organization now?
Where do I want my organization to be?
What are some of the ways to improve your organization's DevSecOps maturity?
You can also read Datadog’s DevSecOps whitepaper to learn more about the blueprint for assessing and advancing your organization's DevSecOps practices.
📜 In this newsletter...
Conferences: fwd:cloudsec, Diana Initiative, DEF CON Skytalks
Cryptography: Summaries of RWC from Trail of Bits and NCC Group
Java Decompilers: 3 useful tools
AppSec: SSH with no open ports, finding 0days in enterprise software
Web Security: Extracting GWT RPC method info using Semgrep
Cloud Security: CloudGoat vulnerable Lambda walkthrough, control AWS access based on account/OU/org, cloud governance as code with Cloud Custodian
Container Security: Check your Kubernetes cluster for use of deprecated APIs, compromising read-only containers with fileless malware
Politics / Privacy: Tool to enumerate Telegram Bot secret messages, mental health apps have bad privacy protections, Google now lets you request removal of personal contact info from search results, Facebook doesn't know what it does with your data or where it goes, industry <> NCSC collaboration
Red Team: Combining different defense evasion techniques for better red team payloads, how to evade industry leading endpoint protection in 2022
Misc: ByteChek is moving to a 4-day work week, comic history, guess redacted Wikipedia pages, fighting off junk mail, NASA's design for a warp drive ship
fwd:cloudsec is probably the best cloud security conference, well worth submitting and/or attending. Round One closes April 22nd, Round 2 closes May 22nd.
Diana Initiative: CFP
The Diana Initiative is a great con that emphasizes having a diverse speaker line-up. First round closes April 25th, second round closes May 30th. They’re also hosting a CTF. H/T Nicole Schwartz.
DEF CON Skytalks CFP
Closes May 31, rolling acceptances starting the first week of May.
I love conference roundups!
Trusted hardware isn’t so trustworthy
Security tooling is still too difficult to use
Side channels everywhere
LANGSEC in cryptographic contexts
Real World Cryptography Conference 2022
NCC Group’s Marie-Sarah Lacharite et al share summaries of 9 RWC talks. One that seems particularly interesting to me is “An Evaluation of the Risks of Client-Side Scanning.” As more systems begin using end-to-end encryption, the law enforcement community is concerned about their lack of visibility. How can we balance privacy/not backdooring everything with catching criminals?
Useful if you don’t have Java source code, only the
.jar. You can also do Android
.apk -> dex2jar -> Java decompiler to examine Android apps.
By The @ Company: A way to SSH to a remote Linux host/device without that device having any open ports (not even 22) on external interfaces. All network connectivity is outbound and you don’t need to know the target’s IP address.
Finding 0days in Enterprise Software
Slides from Assetnote’s Shubham Shah’s NahamCon talk. Nice walkthrough of taking apart proprietary software, auditing complex code bases, mapping attack surface, chaining vulnerabilities, finding variants, and more.
CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
A walkthrough by Rhino Security Labs of the new vulnerable_lambda scenario in the CloudGoat pentest training tool.
How to control access to AWS resources based on AWS account, OU, or organization
New IAM condition keys to make it simpler to control access across org boundaries:
Implementing Cloud Governance as a Code using Cloud Custodian
InfraCloud’s Alok Maurya describes how to use Cloud Custodian auto-detect and remediate noncompliant resources. For example, deleting old EBS snapshots, stopping EC2 instances that aren’t running approved AMIs, changing any allowing of ALL on port 22 to just the VPN IP, and a few Kubernetes-related examples.
Compromising Read-Only Containers with Fileless Malware
Sysdig’s Nicholas Lang describes how to attack a container with a read-only root filesystem, and gives an example of attacking an in-memory data store (Redis) with fileless malware that executes in-memory.
Basically the trick is to use
tmpfs which lets you create a mounted file system that uses virtual memory instead of a persistent storage device. You can download your malware or shellcode to tmpfs and then execute it from there.
Politics / Privacy
A tool for or enumerating Telegram Bot secret messages.
Mental Health Apps | Privacy & security guide
Mozilla did a study and found mental health apps have worse privacy protections than most other types of apps. Prayer apps also had poor privacy standards, the team found. Overview of the findings by The Verge.
Google now lets you request the removal of personal contact information from search results
You can now request the removal of personal contact information, such as a phone number, email address or physical address. Prior to this expansion, the policy mainly covered information that would let other people steal your identity or money, such as banking and credit card details.
Inside Industry 100 - the on-loan CTO
NCC Group’s Ollie Whitehouse shares his experiences on i100, a program that brings industry staff into NCSC teams on a part-time basis to enhance collaboration between UK government and industry on cyber security. I think public/private partnerships for the purpose of keeping everyone safer is great.
I had the privilege of working with Ollie for a few years at NCC Group, and we’ve hung out a few times in person. He’s one of the sharpest security professionals I’ve ever met, and I highly recommend checking out anything he’s involved with. Also, if you want a weekly APT/malware-focused detailed summary, check out his Blue Purple newsletter.
📢 Faraday: Agile security for an agile world
In today’s agile world, cybersecurity is no longer about fortifying fixed walls. It’s about keeping watch and securing change.
Faraday platform allows you to do this. Get full visibility of your security posture, manage vulnerabilities efficiently, and automate the key steps of the process.
By Sudheer Varma: A POC project that combines different defense evasion techniques to build better red team payloads. “The idea is to embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did.”
A blueprint for evading industry leading endpoint protection in 2022
Vincent Van Mieghem shares 12 techniques that can allow you to execute malicious shellcode without getting flagged by industry leading EDR tools, like CrowdStrike and Microsoft Defender for Endpoint.
ByteChek is moving to a 4-day work week!
ByteChek’s AJ Yawn describes how by focusing on deep work and removing distractions, he’s found ByteChek can both be a better place to work for employees and more productive.
The codes of comic books
Technically a “comic” is a set of pictures in sequence that tells a story. This virtual “exhibit” by Google Arts & Culture walks through the history of comics, going back to 1842. Learn about the origin of why comic book pages are divided into boxes and more.
The Complete Guide to Warding Off Junk Mail
How to stop receiving the junk mail you probably don’t care about: redit card, loan, mortgage and insurance junk mail, catalogs, coupons and marketing offers, etc.
Impossible Physics: Meet NASA’s Design for a Warp Drive Ship
“A number of scientists are currently researching the feasibility of warp drive (and EMdrive and a number of other modes of faster than light travel); however, most think that such forms of space travel simply aren’t viable, thanks to the fundamental physics of our universe.” Here’s a model of a ship that moves faster than light by deforming spacetime around it:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!