• tl;dr sec
  • Posts
  • [tl;dr sec] #252 - Perfecting Ransomware on AWS, Kubernetes-native Threat Detection, MITRE Caldera Bounty Hunter

[tl;dr sec] #252 - Perfecting Ransomware on AWS, Kubernetes-native Threat Detection, MITRE Caldera Bounty Hunter

Simulate ransomware with KMS XKS + your key, Venator, a new OSS tool, new Caldera plugin to emulate complete, realistic cyber attack chains

Hey there,

I hope you’ve been doing well!

🙃 How to Stop Feeling Like Your Success is Never Enough

I’ve been enjoying recent interviews with Andrew Wilkinson, who is doing the media tour for his book “Never Enough: From Barista to Billionaire.” (Here’s his interview on Modern Wisdom).

Basically, as Andrew became more successful, he found that even billionaires he met felt like they needed more money, and compare themselves to their peers with more. Yikes.

The challenge is this can still happen, even when you’re aware of this failure mode.

Anecdotally, I’ve found this to be true with me 🤦 When I first started tl;dr sec, I thought, “Man, if I ever have 1,000 subscribers, I’ll be building a Real Serious Newsletter™️.” Then it was 5K, then 10K, then 20K…

Recently I’ve caught myself thinking, “Yeah, those newsletters with 100K or 1M subscribers… those are actually big newsletters.” But I’m sure if I were to hit those milestones I’d feel… the same.

<insert reference here to how I meditate every day, and a call to action to buy a tl;dr sec branded Gratitude journal>

If you’ve ever told yourself, “When I achieve X, earn Y, or hit Z milestone, then I’ll be happy,” and then did, feel free to reply and tell me the story, I’m curious.

Sponsor

📣 Get more out of your email security budget

When every dollar counts, you want to make sure you make the most of what you get. You (hopefully) get funds for anti-phishing tools, but the threat landscape extends beyond the inbox.

With more sophisticated attack flavors at higher volumes than ever, email security must also encompass insider risk scenarios, account takeover protection, and data loss prevention.

See why Material Security is the preferred choice for organizations looking to protect more areas of their Microsoft 365 or Google Workspace footprint under a unified toolkit… and a single line item in the budget.

Material has some pretty cool Google Workspace visibility and security control features, see here for a demo overview from a chat I had with them.

AppSec

Automating Client-Side Path Traversals Discovery
Vitor Falcao describes Client-Side Path Traversals (CSPT), a technique where modifying URL parameters can cause the browser to make requests to unintended endpoints (e.g. setting id=../../foo ), potentially leading to XSS when chained with open redirects. He created Gecko, a Chrome extension to automate CSPT discovery by intercepting requests and comparing URL components to request paths.

Exploiting trust: Weaponizing permissive CORS configurations
Outpost24’s Thomas Stacey describes the impact and prevalence of permissive CORS vulnerabilities, using 8 real-world case studies, including arbitrary origin reflection, subdomain validation bypasses, exploiting internal applications via CORS, and more. Thomas provides a methodology for testing and scanning for CORS issues, and has released a Burp extension that extends Burp’s default CORS scan checks.

1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
@hackermondev (a 15 year old, let’s go!) describes how he found a vulnerability in Zendesk that allowed reading customer support tickets from any company: if you know a support conversation’s ID (semi enumerable), spoof an email to that thread CC-ing your email, and you’ll be added to the thread and have the full thread history (Zendesk's email collaboration feature).

He then used this to gain access to hundreds of companies' Slack workspaces by bypassing Slack's email verification using Apple's OAuth. The bug affected over half of Fortune 500 companies. Zendesk initially dismissed the report and later fixed it without awarding a bounty 👎️ 

Sponsor

📣 Q&A: Digital Threats Landscape with Joseph Menn, The Washington Post

Revisit the most recent Q&A with Joseph Menn, Digital Threats Reporter at the Washington Post, who writes about disinformation, hacktivism, and other topics in cybersecurity and authored the Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.

Register today to dive into 10+ new sessions, including this Q&A, covering the latest research in infrastructure security and access from Doyensec, Teleport, and others, during Teleport Connect 2024: Virtual on November 6.

👉 Register Today 👈

o0o I want to hear what Joseph Menn has to say, disinformation and hacktivism are quite timely, and I’ve been meaning to read that book, I hear it’s solid 🤘 

Cloud Security

Defense in Depth approach using AWS
Ahmed Srebrenica walks through implementing a Defense in Depth approach on AWS using multiple security layers including custom VPCs, security groups, Application Load Balancer, Web Application Firewall, and Network ACLs.

Cloud native incident response in AWS
Invictus describes how to use AWS Athena for cloud incident response, searching through various log types like CloudTrail, S3 access logs, and ELB logs. The post covers indexing, partitioning with Glue, handling nested objects in AWS logs, and provides practical tips for optimizing Athena queries, including limiting output and reusing query results. They’ve also shared an Athena Query Cheat Sheet.

Why Multi-Account in AWS?
Marty Henderson explains the benefits of using a multi-account AWS strategy, breaking down the 8 key advantages outlined in AWS's whitepaper "Organizing Your AWS Environment Using Multiple Accounts," including: group workloads based on business purpose and ownership, apply distinct security controls by environment, constrain access to sensitive data, promote innovation and agility, limit scope of impact from adverse events, support multiple IT operating models, manage costs, and distribute AWS Service Quotas and API request rate limits.

Challenges with IP spoofing in cloud environments
Datadog’s Emile-Hugo Spir explains what IP spoofing is, why it’s a concern in cloud environments, and how it affects systems relying on reverse proxies. In short, attackers can spoof the X-Forwarded-For HTTP header and there’s no way for the receiving application to validate it. In Datadog’s dataset of thousands of orgs, 32% of organizations receive such headers and 14% likely face malicious probing attempts.

Mitigation strategies include dropping X-Forwarded-For headers at the network edge, using trusted vendor-specific headers like Cloudflare's CF-Connecting-IP, or implementing custom logic to extract the last trustworthy IP.

Perfecting Ransomware on AWS — Using ‘keys to the kingdom’ to change the locks
CRED’s Harsh Varagiya describes, in detail, how to build an AWS-RedTeam-Kit for ransomware simulation using KMS External Key Stores (XKS) and a simulated HSM (SoftHSM). Basically, you encrypt everything with a key you control, then take that key offline. The setup involves a modified aws-kms-xks-proxy, and Cloudflare tunnels to create a publicly accessible XKS backend. Mercifully, Harsh shares SCPs to deny the KMS API call for XKS.

Supply Chain

bwireman/go-over
Tool by Benjamin Wireman to audit Erlang & Elixir dependencies for known security vulnerabilities. See also MixAudit.

💡 If you’ve never used Elixir, you’re missing out, it’s quite a delightful language.

mchmarny/s3cme
By Mark Chmarny: Template Go app repo with local test/lint/build/vulnerability check workflow (Trivy, CodeQL), and on tag image test/build/release pipelines, automated SBOM generation with ko, cosign attestation, and SLSA build provenance

The second half of software supply chain security on GitHub
GitHub’s Zachary Steindler provides an abridged history of supply chain security, and discusses GitHub's artifact attestations feature, which simplifies code signing for software built in GitHub Actions and helps achieve SLSA level 2 compliance. The feature uses workload identity (the Actions OIDC token) to securely obtain code signing certificates, avoiding the need to manage long-lived private keys. It also includes provenance information like repository details, build instructions, and source code SHA.

Blue Team

vxfemboy/ghostport
By @vxfemboy: A high-performance port spoofing tool built in Rust. Confuse port scanners with dynamic service emulation across all ports. Features customizable signatures, efficient async handling, and easy traffic redirection.

Open Sourcing Venator: a Kubernetes-native threat detection system
Adel Karimi introduces Venator, a Kubernetes-native threat detection system that uses CronJobs and Helm to automate deployment of detection rules. It supports multiple query engines (e.g. OpenSearch, BigQuery) and publishers (e.g. PubSub, Slack). Venator includes features like rule-specific exclusions, LLM integration for analyzing or correlating lower-confidence signals that may not warrant immediate alerts, and automated deployment via Helm charts and CI/CD pipelines.

💡 Also, congrats to Adel on joining OpenAI’s security team.

What Makes a “Good” Detection?
Dylan Williams proposes the “Shannon Signal Score,” a framework for evaluating detection quality across five key categories: Threat Alignment & Coverage, Detection Integrity, Operational Cost, Impact & Risk Potential, and Utility. The framework combines quantitative metrics and LLM-based qualitative assessments to provide a holistic view of detection value. I love the level of detail and walking through his thought process, great post.

Red Team

trickster0/NamelessC2
By trickster0: A Rust-based C2 framework with a Windows implant as small as 256KB, with a working sleeping obfuscation method of EkkoEx.

yasukata/zpoline
A novel system call hook mechanism for Linux that rewrites the code binary loaded in memory, just before the user-space program starts its main function. Advantages: achieves exhaustive syscall hooking without modifying the OS kernel or requiring source code, and is 100 times faster than ptrace.

Emulating complete, realistic cyber attack chains with the new Caldera Bounty Hunter plugin
Louis Hackländer-Jansen introduces the Bounty Hunter plugin for MITRE Caldera, which enables emulation of complete, realistic cyber attack chains including initial access and privilege escalation. The plugin uses weighted-random attack behavior for non-deterministic outcomes, and supports configurable parameters like ability locking and reward updates. Louis shares two example scenarios demonstrating the Bounty Hunter plugin’s capabilities: 1) nmap, brute force SSH, elevate privileges, and 2) emulating a complex APT29 campaign including compromising an AD domain via a Kerberos Golden Ticket attack.

AI + Security

Clemson University researchers found a sprawling AI bot army on X attacking the Harris campaign and Democrats, supporting Trump and the GOP.

GSM-Symbolic: Understanding the Limitations of Mathematical Reasoning in Large Language Models
A new paper from Apple researchers shows that slight changes in wording or numbers, additional unrelated clauses, etc. significantly decreases LLM performance (up to 65%) in math reasoning.

💡 Their methodology is clever: basically they templatized/parameterized various math questions and then tested how the LLMs performed when attributes were changed. Figure 1 is a nice visual overview. The idea being that if an LLM is actually reasoning, changing these variables shouldn’t affect performance. But it did. Another potential explanation (for unrelated clauses decreasing performance) is that LLMs are easily distractable. Anywho, research like this that really vets LLM capabilities is excellent.

mllamazares/vulncov
By One eSecurity’s Miguel Llamazares: A tool that correlates Semgrep scans with Python test code coverage to identify which vulnerable code has been executed by unit tests, helping prioritize SAST findings and reduce false positives. It also leverages a self-hosted LLM (using ollama) to suggest bug fixes.

Build your own AutoFix with Patchwork
Patched Codes describes using their open source framework patchwork to automatically fix code vulnerabilities, walking through: cloning code, scanning with Semgrep, triaging results using LLMs, generating patches, checking compatibility, and creating pull requests, sharing prompts for each.

Previously Patched Codes did some benchmarking of various LLMs at patching vulnerabilities (GPT-4[o], Gemini, Llama, etc.), and evaluated a fine-tuned GPT-4o, releasing their evaluation benchmark and synthetic vulnerability dataset.

💡 I love to see more benchmarks evaluating LLM performance on security tasks, it’s great that they’re sharing it publicly. I will say though that the benchmark is a bit small, is only Python, and the patching methodology seems to be not quite as thorough as described by CodeQL here or Semgrep’s approach here. Still, directionally good.

Hacked ‘AI Girlfriend’ Data Shows Prompts Describing CSAM
404 Media’s Joseph Cox reports on a hacked database from AI companion site Muah.ai that exposed peoples' particular kinks and fantasies they've asked their bot to engage in. It also shows many of them are trying to use the platform to generate child abuse material.

On the AI relationship train, I thought When Your Lover Is a Bot had an interesting discussion on the societal and interpersonal implications of more people engaging with AI instead of other humans. Mozilla reviewed 11 romantic AI chatbots and found their privacy policies to be abysmal.

And I was a bit surprised to see this in the OpenAI docs: “We're exploring whether we can responsibly provide the ability to generate NSFW content in age-appropriate contexts through the API and ChatGPT. We look forward to better understanding user and societal expectations of model behavior in this area.”

Misc

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler