• tl;dr sec
  • Posts
  • [tl;dr sec] #249 - Atomic Cloud IOCs, Russian APT Tool Matrix, Netflix Paved Road Webinar

[tl;dr sec] #249 - Atomic Cloud IOCs, Russian APT Tool Matrix, Netflix Paved Road Webinar

Cloud-specific indicators of compromise, tools regularly used by Russian government threat actors, webinar on secure guardrails & building Netflix's Paved Road

Hey there,

I hope you’ve been doing well!

🍸️ Post Happy Hour Intro

It was great seeing some of you at the happy hour, thanks for coming!

My heart swelled at least 10 sizes seeing someone wearing a tl;dr sec t-shirt 🥹

I headed out not too late so I could finish this very newsletter.

Enjoy Global AppSec SF if you’re attending, and have a great weekend!

I'm SUPER stoked about my upcoming webinar with Scott Behrens.

Scott is one of the most insightful security folks I know- my chats with him over the years have significantly influenced how I think about building a scalable security program.

He’s been at Netflix for 11 years and has seen the security team grow from a handful of people to well over 100, and is the the strategic tech lead for all of Security, Privacy, and Risk at Netflix. In the webinar we’ll discuss:

  1. What are some gotchas if you’re trying to build a Paved Road at your company?

  2. What should you work on first as a security hire?

  3. How do you validate that your Paved Road / security control guarantees actually do what you expect them to? (Hint: There’s actually a lot of subtlety here)

We’ll leave plenty of time for questions at the end.

👉️ See you there 👈️ 

Sponsor

🧟Quarantine Zombie Identities Without Breaking Your Cloud

The undead are creeping in your cloud - and we’re not talking about your IT team’s Halloween costumes. Unused identities are zombies that pose a serious security risk. 

Sonrai Security’s Cloud Permissions Firewall gives you the power to instantly “quarantine” every zombie identity in your AWS environment, denying all permissions without deleting the identity. And the best part? You can always “wake” identities if needed, with full permissions, through automated request workflows integrated into ChatOps tools.

Get a custom demo of the Cloud Permissions Firewall today: sonrai.co/cloud-zombies

Being able to auto-discover and quarantine unused identities is super cool. That way you don’t have all that attack surface lying around 🤘 

AppSec

NodyHub/zipslipper
CLI tool by Jan Harrie that creates tar/zip archives designed to exploit the ZipSlip vulnerability, which can lead to arbitrary file overwrite, and in some cases remote code execution.

CVE Hunting Made Easy
Project Black’s Eddie Zhang describes how he discovered 14 CVEs in just 3 Sunday afternoons by downloading a bunch of Wordpress plugins, scanning them with Semgrep, and triaging the results. Eddie found a number of LFI (Local File Inclusion) and SQL injection bugs, and has released his dataset if you want to go bug hunting.

gaining access to anyones browser without them even visiting a website
Eva shares a pretty insane bug in the Arc browser that allowed arbitrary JavaScript execution on any user's browser. How: Arc “boosts” are a way for users to customize websites using custom CSS and JavaScript, boosts are stored in firestore, if you obtain another user’s ID you can write malicious JS (saving it to their user ID’s boosts) that will run in their browser whenever they visit a given website.

Simplifying XSS Detection with Nuclei
Project Discovery’s Dwi Siswanto discusses how to leverage nuclei’s headless mode for improved XSS detection. Instead of complex reflection-based string matching, you can use the waitdialog action to detect if injected JavaScript actually executes. The post provides example templates for both traditional and headless detection methods.

💡 I feel like most dynamic analysis tools go through the journey of finding XSS from “look for this string in the response” to “see if JavaScript executed.” Why? The application may not return the expected string exactly, and even if the expected payload is in the response, that doesn’t mean it executed (read: false positives).

Sponsor

📣 Conquer Compliance in Containers & Open Source

Struggling with compliance in containerized environments and open source? These issues can slow business, increase risks, and lead to costly fines. Watch Chainguard CEO Dan Lorence and our panel of experts break down the unique challenges and share practical strategies for aligning with FedRAMP and other key standards to protect your organization from revenue loss and regulatory penalties.

👉 Watch Now 👈

Having no/low vulnerability golden image containers and easing the path to FedRAMP is 👌 

Cloud Security

Quicklinks

A Cloud Access Management Maturity Model: Part 1
Rowan Udell describes a Cloud Access Maturity Model with four stages: Administrator-centric, Role-Based Access Control (RBAC), Just-in-time (JIT) Access, and Adaptive Access. Each stage addresses challenges like blast radius and key person risk, but introduces new complexities in defining and managing access.

Part 2 provides more detail about what each level looks like, how to measure maturity with metrics, and how to progress to the next stage.

tenable/hidden-services-revealer
By Tenable’s Noam Dahan and Ron Popov: A tool to map hidden services in AWS by following the events triggered after a user's actions. A user’s actions in AWS can trigger other events in other services, and by following the events, you can identify services that are indirectly deployed, potentially leading to security issues.

Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs
New blog series by Wiz’s Merav Bar and Amitai Cohen covering strategies for tracking and defending against malicious activity and threats, including cloud-specific atomic IOCs (container / VM image metadata, cloud subscription metadata, infra as code metadata, cloud user metadata, and credential metadata), and cloud-unique aspects of traditional atomic IOCs (user agents, IP addresses).

They've also started collecting public indicators of compromise in this GitHub repo.

Supply Chain

offensive-actions/azure-storage-reverse-shell
By Benedikt Haußner: A GitHub Action that can send a reverse shell from a GitHub runner to any Internet connected device able to run Python, utilizing Azure Storage Account as a broker- bypassing firewall rules on self-hosted runners.

💡 See also some nice discussion on LinkedIn.

CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
This behavior was called out in tl;dr sec long ago, but PSA: installing a package with 𝘱𝘪𝘱 𝘪𝘯𝘴𝘵𝘢𝘭𝘭 --𝘦𝘹𝘵𝘳𝘢-𝘪𝘯𝘥𝘦𝘹-𝘶𝘳𝘭 prioritizes the public registry, leading to a potential dependency confusion vulnerability if an attacker registers the same package name as an internal package. Tenable’s Liv Matan found this issue for an internal software dependency that Google pre-installs for Google Cloud Composer.

This issue has been known for a while and there's a Feb 2023 PEP to address it, but for now it’s still a nice shiny scissor lying around for people to pick up and run with.

Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them
Erik Varga of Google’s AutoVM (vulnerability management) team describes four main categories of false positives from 3rd-party dependency scanning tools: vulnerabilities rejected by a feed (e.g. later analysis may reveal a finding to not be security relevant), imprecise version matching info, imprecise info about affected packages, or a finding is not security relevant (e.g. Trivy reports Debian Long Term Support Security Advisories (DLAs) such as time zone data updates or new GPG key additions).

Blue Team

Introducing Sigmalite. RunReveal's open source sigma rule evaluator for detection
Evan Johnson announced RunReveal’s support for Sigma detections, and they’ve open sourced their Sigma evaluation engine, Sigmalite. Sigmalite is designed for stream processing and can be embedded into data pipelines to perform detection outside of SIEMs, decoupling detection from data storage. Sigmalite supports real-time streaming detections and allows users to make decisions about log handling (e.g., storage location, forwarding) based on Sigma rule matches.

The Russian APT Tool Matrix
Will Thomas has created a Russian APT Tool Matrix, complementing his earlier Ransomware Tool Matrix, cataloging tools used by various Russian state-sponsored threat groups (GRU, SVR, FSB). Key findings: GRU groups like EMBER BEAR use the most scanners, FANCY BEAR and Sandworm were found often relying on a wide variety offensive security tools, SVR-affiliated COZY BEAR uses the most diverse toolset, and Mimikatz, Impacket, PsExec, Metasploit, and ReGeorg are the most commonly shared tools across Russian APTs.

Red Team

w1th4d/JarPlant
By @w1th4d and Christoffer Jerkeby: Java archive implant toolkit: inject malicious payloads into JAR files.

Vulnerabilities in Open Source C2 Frameworks
In Soviet Russia, blue team hack you C2 🥁 Include Security’s Laurence Tennant shares a number of vulnerabilities he found in open source Command & Control (C2) frameworks, including: authenticated command injection in Sliver and Havoc, service API authn bypass in Havoc, an unauthenticated arbitrary file download vulnerability in Ninja, unauthenticated RCE in SHAD0W, and escalation of privilege and authenticated command injection in Covenant.

AI + Security

AI Security Companies
Nice big list of companies either securing AI or applying AI to security, by Tejas Cyber Network.

hadriansecurity/subwiz
By Hadrian Security: A recon tool that uses AI to predict subdomains and returns those that resolve. For example, use subfinder to find domains from passive sources, and then seed subwiz with those domains.

arphanetx/Monocle
A tool to use LLMs for natural language searches against compiled target binaries. Give it a binary and search criteria (e.g., authentication code, vulnerable code, password strings, and more), and it will decompile the binary using headless Ghidra and use its in-built LLM (Mistral-7B-Instruct) to identify and score relevant areas of the code. H/T my bud Claudio “Claude 3.5” Merloni for sharing.

Cloudflare’s new marketplace will let websites charge AI bots for scraping
I think it’s great to have publishers compensated for their content. As the first step in this plan, Cloudflare just launched free observability tools for customers, called AI Audit, that give you a dashboard to view analytics on why, when, and how often AI models are crawling your site. Cloudflare will also let customers block AI bots from their sites with the click of a button.

Methodology for incident response on generative AI workloads
By Anna McAbee, Jennifer Paz, AJ Evans, and Steve de Vera: The AWS Customer Incident Response Team (CIRT) has developed a methodology that you can use to investigate security incidents involving generative AI-based applications. The post walks through the 7 elements of the methodology, including determining: access, infrastructure changes, AI changes, data store changes, invocations, private data, and agency.

Misc

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler