[tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security, Dark Sides of Machine Learning
How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communication online?
I hope you’ve been doing well!
Speaking at CloudSec 360 Next Week!
I’m thrilled to be speaking at the CloudSec 360 series, presented by Wiz, on how to scale your company’s security in 2023.
It’s going to be the spiritual successor to my How to 10X Your Security talk, covering some of my favorite posts, talks, and tools I’ve seen since.
In my usual style, it’ll be quite the montage of content 😅 Here’s a preview:
CloudSec 360 has a number of other great talks and panels from industry leaders as well.
Hope to see you there!
📢 Discover and classify sensitive cloud data
"I work with Open Raven daily. It's my bible." - John Clave, Information Security Compliance Manager.
Learn how TaskUs traded uncertainty for confidence by using Open Raven for visibility and control of sensitive data and slashed data breach risk.
Open Raven - Secure, customizable, and budget-safe data security that just works.
📜 In this newsletter...
Web Security: GraphQL exploitation guide, OGNL Injection Decoded
AppSec: Dump proto files from binaries, SQL injection resources, leaking secrets From GitHub Actions, improve GitHub Actions OIDC security posture with custom issuer, XML Security in Java
Cloud Security: Hunting for signs of persistence in the cloud, reason about IAM with Z3, four ways to phish in AWS, 5 workshops from AWS CIRT, Incident report: stolen AWS access keys, hunting for Amazon Cognito security misconfigurations
Container Security: Debug Kubernetes errors with ChatGPT, debug Kubernetes apps with eBPF, cloud native and Kubernetes security predictions 2023, tool to directly patch containers
Blue Team: What can we learn to guide our security programs in 2023?
Misc: Discover the best graduation speeches, David Bombal interviews Rachel Tobac, behind the scenes on John Hammond's YouTube channel, Zombiecorns
Dark Sides of Machine Learning: LLMs: a bleak future ahead?
OGNL Injection Decoded
Great deep dive by The SecOps Group’s Aditya Singh on Object Graph Navigation Language (OGNL) injection. He discusses the vulnerability details, prerequisites, attack vectors, how the vulnerability works in the background, recommendations, practice labs, and more.
I like how he walks through a number of prior real world critical (pre-auth RCE) OGNL vulnerabilities that have been discovered.
📢 Malware Injection Detection in Less Than 180 Seconds
Architected specifically to observe any unauthorized change to how a system operates, Crytica's detection engine is efficient enough to continuously scan a system's entire internal infrastructure; providing rapid electronic notifications, within seconds, of all detection alerts.
Crytica can scan hundreds of thousands of files on a device in mere minutes, while consuming only minimal resources and without disrupting normal device or server operations. Crytica does not rely on historical data, previously identified malware, or behavioral patterns. Instead, it is optimized to detect previously unknown, zero-day infections.
Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
If you have command injection in a GitHub Action workflow, Karim Rahal walks through different ways to steal secrets.
Improve GitHub Actions OIDC security posture with custom issuer
If you use GitHub Enterprise Cloud, Aidan Steele describes how AWS org admins can lock down role creation to only your GitHub Enterprise, making use of GitHub Actions OIDC safer.
XML Security in Java
r2c’s Pieter De Cremer and Vasilii Ermilov did a deep dive into 10 different Java classes that support parsing XML, and found that using them securely has tons of subtleties, and sometimes security features don’t work as documented! This is probably the most thorough single piece on Java XML security I’ve seen. They’ve written a set of Semgrep rules to detect insecure configurations.
Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident
Wiz’s Lior Sonntag shares how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident.
By WithSecure: A library that utilises the Z3 prover to attempt to answer questions about AWS IAM. It can “load” a variety of IAM policies and convert them to generate Z3 constraints and a model, from which queries can be made on identifying whether actions are allowed or not.
This is super cool, but also, if you require a theorem prover to understand your acess control model, maybe… it’s too complex? 😅
AWS Phishing: Four Ways
Figma’s Rami McCarthy describes four AWS-specific phishing vectors: credential phishing, device authentication phishing, CloudFormation Stack phishing, and ACM email validation phishing, plus tons of actionable prevention and detection resources. Excellent read.
AWS CIRT announces the release of five publicly available workshops
The workshops simulate security events to help you learn the tools and procedures that AWS CIRT uses. The workshops cover AWS services and tools, such as GuardDuty, CloudTrail, CloudWatch, Athena, and AWS WAF, as well as some open source tools.
Unauthorized IAM Credential Use
Ransomware on S3
Cryptominer Based Security Events
SSRF on IMDSv1
AWS CIRT Toolkit For Automating Incident Response Preparedness
Incident report: stolen AWS access keys
Nice walkthrough by Expel on how they got an initial lead that something was off (unexpected Kali Linux user agent and IP address), did a root cause analysis, and figured out what other accounts had been compromised.
Hunting for Amazon Cognito Security misconfigurations
NahamCon EU 2022 presentation by Yassine Aboukir discussing a few common security misconfigurations that affect Amazon Cognito implementations plus techniques and methods to test for them.
A tool for introspecting and debugging Kubernetes applications using eBPF “gadgets.” It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, and automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information.
Cloud Native and Kubernetes Security Predictions 2023
Some interesting predictions from ControlPlane’s Andrew Martin across a number of areas. An enjoyable read. Some that stuck out to me:
Kubernetes RBAC and security complexity continues to intensify
AI and ML will be harnessed by attackers more effectively than defenders
Automated defensive remediation will continue to grow slowly
eBPF technology powers all new connectivity, security, and observability projects
Linux Kernel ships its first Rust module
Serverside webassembly tooling starts to proliferate after Docker’s alpha driver
A CLI tool for directly patching container images using reports from vulnerability scanners. No need to go upstream for a full rebuild or wait for base image updates.
What can we learn to guide our security programs in 2023?
Jason Haddix shares observations and recommendations from breach writeups and his conversations with other CISOs about their experiences in 2022.
Discover the Best Graduation Speeches
A curated list of the best commencement speeches, from people like Jeff Bezos, Steve Jobs, Bill Gates, Obama, etc.
She hacked a billionaire, a bank and you could be next. Do this now to protect yourself!
Rachel Tobac joins David Bombal to share some social engineering and personal security tips.
This thread by John Hammond is awesome. I love the level of transparency, super interesting. Hats off to an awesome year of creating, and all the best in 2023!
Dark Sides of Machine Learning
Businesses already do covert marketing: paid product placement, astroturfing on Reddit, fake reviews, etc. Governments and political agencies do similar.
Currently they’re limited by cost, but now LLMs can create millions of human-like personas appearing to live complex online lives who are only there to advance your goal.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!