• tl;dr sec
  • Posts
  • [tl;dr sec] #255 - AI finds 0day in SQLite, Cloud Security Tools, Auto-generate Terraform Secure Guardrails

[tl;dr sec] #255 - AI finds 0day in SQLite, Cloud Security Tools, Auto-generate Terraform Secure Guardrails

Google Project Zero's LLM-powered variant analysis, deobfuscating IAM polices and a real-time SCP error monitor, using LLMs to create secure by default Terraform modules

Hey there,

I hope you’ve been doing well!

Memes

Emotions are high in the U.S. right now, so I spent a long time writing a heartfelt message about the values I believe America stands for, interlaced with personal family stories.

I then decided to cut that section, and instead share part of my meme collection, enjoy:

Sponsor

📣 Simplify SecOps for Google Workspace with Material Security

Google Workspace is critical to your organizations’ day-to-day workflows. It’s where your employees work, communicate, and collaborate. It’s also a vulnerable attack surface, with inboxes and files full of sensitive data and links to other apps and services across your environment.

Material Security provides unified SecOps for all of Google Workspace, with advanced phishing protection, a unique approach to DLP, and proactive posture management. Our platform surfaces threats and risks that others miss, and automated remediations ensure problems are fixed–fast.

When I saw a demo of Material, I was pretty impressed by how quickly you could get it set up and start seeing immediate insights into your Google Workspace security posture, and I like the auto sensitive info redaction 👍️ 

AppSec

Developing Secure Software
A free training course by the OpenSSF. Learn the security basics to develop software that is hardened against attacks, and understand how you can reduce the damage and speed the response when a vulnerability is exploited. 16-20 hours of course material, includes quizzes and hands-on labs.

chebuya/sastsweep
By Chebuya: A tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using Semgrep and provides a streamlined HTML report.

XSS WAF Bypass One payload for all
Edra shares a technique for bypassing WAFs with an XSS payload that leverages HTML entities, and provides payload examples that work against Imperva, Incapsula, Amazon, and Akamai WAFs.

When WAFs Go Awry: Common Detection & Evasion Techniques for Web Application Firewalls
MDSec’s James Hall discusses various techniques for bypassing WAFs, including fuzzing, reversing regex rules, obfuscation/encoding, alternative character sets, and request header spoofing. He provides real-world case studies of bypassing CloudFront, Cloudflare, F5 BIG-IP ASM, and Azure Application Gateway WAFs using techniques like obscure event handlers, regex capture groups, and large request bodies. James also discusses novel evasion methods like using hieroglyphics for JavaScript and recent CVEs in OWASP Core Rule Set. Great related work section 👌 

Sponsor

📣 Catching AppSec Design Risks Before Code is Even Written

Waiting until deployment of an app to address security is like putting on a helmet after you crash your bike. 

Apiiro is leveraging AI to analyze feature designs and catch potential vulnerabilities before a single line of code is written. This proactive approach saves time and resources while also ensuring security is baked into your applications from the start. 

Ready to shift left? Learn how Apiiro is redefining secure development and get ahead of risks before they become real threats.

I think using AI to analyze feature designs is an excellent use case for AI, I’ve seen a number of people discussing this on blogs and in conference talks 👌 

Cloud Security

SANS CloudSecNext Summit 2024
The 19 talk recordings are live!

Cloud Guardrails
By Resourcely: An open source collection of cloud infrastructure best practices, for bootstrapping your own cloud platform.

Safer SCPs: Real-Time SCP Error Monitor
Repo by Matt Fuller that eases AWS Service Control Policy (SCP) deployment by using AWS EventBridge and CloudWatch for real-time monitoring of SCP-related access denied errors, allowing for immediate detection and response if you done broke somethin’.

Introducing SkyScalpel: An Open-Source Tool to Combat Policy Obfuscation in Cloud Environments
Permiso’s Abian Morina introduces SkyScalpel, an open source tool that deobfuscates and detects obfuscated JSON documents with a focus on IAM policies used to control permissions in AWS cloud environments. SkyScalpel also includes detection capabilities with targeted expansion of wildcard values and a Find-Evil function for identifying syntactical obfuscation techniques.

Introducing CloudTail: An Open-Source Tool for Long-term Cloud Log Retention and Searchability
Permiso’s Ela Dogjani introduces CloudTail, an open source tool designed to enhance long-term retention and searchability of cloud logs for AWS and Azure. It uses a JSON configuration file to selectively capture high-value events, stores them in SQLite databases, and can export as JSON for easier analysis.

AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover
Aqua’s Ofek Itach and Yakir Kadkoda describe an S3 bucket namesquatting-type vulnerability in AWS CDK. The AWS CDK bootstrapping process involves creating a staging S3 bucket with a predictable name, and S3 bucket names are globally unique across all AWS accounts, so if an account were to delete the staging S3 bucket after bootstrapping, an attacker could register that bucket name and inject malicious CloudFormation templates. Avishay Bar has released an open-source tool that scans AWS accounts for this issue, helping identify current risks and protect against future S3 bucket takeover threats.

AWS patched this by adding a condition to only trust buckets in the user's account, and confirmed the vulnerability affects ~1% of CDK users who bootstrapped with version 2.148.1 or earlier.

Blue Team

The Black Team Ops honeypot
OK, this is hilarious 😂 SpacialSec writes about how a parody tweet about a fake "Black Team Ops" course unexpectedly generated significant interest, leading them to create a honeypot registration site to collect data on potential "skids" interested in criminal hacking techniques. They quickly set up a domain and registration page, and then promoted the fake course on social media. At the end, they scared registrants with a fake law enforcement seizure notice. The post shares geographic and other data collected about registrants.

EDR Bypass Testing Reveals Extortion Actor's Toolkit
Palo Alto Unit 42’s Navin Thomas, Renzon Cruz, and Cuong Dinh described how they gained access to a threat actor's system while investigating an extortion attempt, providing insights into their operations. The threat actor was testing an AV/EDR bypass tool against Cortex XDR on virtual machines, and OpSec failures allowed them to identify one of the threat actors involved, including their employment details and social media profiles.

Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
Sophos’ Ross McKerchar unveils a five-year investigation tracking China-based groups targeting perimeter devices, including some pretty impressive TTPs (backdoored Java classes, a new rootkit, an early experimental UEFI bootkit, 0days, sabotaging telemetry collection…). There appears to be reasonable evidence for the Chinese security researcher finding exploits → Chinese government apparatus pipeline.

One neat detail is that Sophos “defended forward” (more details here), that is, they deployed “implants” on attacker devices so they could observe the exploit development process as it was happening. The timeline reads like a spy novel, very cool.

“The attacks highlighted in this research demonstrate a level of commitment to malicious activity we have rarely seen in the nearly 40 years of Sophos’ existence as a company.”

Red Team

logangoins/Cable
By Logan Goins: .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation.

CobblePot59/ADcheck
Assess the security of your Active Directory with few or all privileges.

RedTeamOperations/Red-Infra-Craft
By CyberWarFare Labs: Automates the deployment of powerful red team infrastructure, streamlining the setup of Command and Controls (C2s), making it easy to create advanced phishing and payload infrastructure.

AI + Security

Quicklinks

  • Andrew Green argues that an AI SOC is much more than just LLM-aided investigations, it should also include: ingestion and storage, the detection engine, threat hunting, anomaly detection, and automation, orchestration, and response.

  • An AI-assisted Halloween parade listing caused a ton of people in Dublin to show up for a parade that didn't exist. This is more SEO than AI really, but still an interesting indicator of potential future AI slop leaking into affecting real world human behavior 😅

  • Wiz CEO Assaf Rappaport said dozens of Wiz employees received a deepfake voice call from “him” trying to get their credentials

  • Apple invites security researchers to test its Private Cloud Compute (PCC) system and will pay up to $1,000,000 for PCC vulnerabilities. They're providing docs, some source code, and you can run a virtual research environment of PCC on a VM locally.

ghostsecurity/reaper
By Ghost Security: An open source application security testing tool that brings together reconnaissance, request proxying, request tampering/replay, active testing, vulnerability validation, live collaboration, and reporting. These features can be leveraged by AI Agents (provided to the Agents as "tools"). The end of the demo video shows providing a prompt to Reaper like "check for broken access control on this domain" and outputting a report with the findings.

AWS Security Guardrails & Terraform
PwC’s Naman Sogani describes extracting security requirements from tools like Checkov and Prowler, using Anthropic's Claude 3.5 Sonnet via AWS Bedrock to transform them into security requirements, and then again using Sonnet to turn those security requirements into reusable secure by default Terraform modules.

💡 This is a really cool idea and approach, and if the modules are in fact solid (it’d be good to do some human expert review), this and other similar work could make a meaningful dent in building secure by default libraries, modules, etc. that the community can just use. Let’s go! 🤘 

From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code
Google DeepMind and Project Zero have teamed up to build Big Sleep, an AI vulnerability finding agent that has discovered an exploitable stack buffer underflow in SQLite. Big Sleep works by doing variant analysis: given recent git history in the SQLite repo, it asks the agent to review the current repository (at HEAD) for related issues that might not have been fixed. Note that this is much more directed and focused than an open ended, look at everything approach.

One thing pretty sick about the shared Agent trace is that Deep Sleep was able to diagnose and fix a missing extension and test case, such that this buggy program path could be executed. The bug wasn't caught by existing fuzzing efforts due to configuration differences.

💡 Prior work: H/T to Joern Schneeweisz who pointed out that CVE-2024-9143 was also found with the help of an LLM, as was this OpenBSD IPv6 Multicast kernel buffer overflow by Alfredo Ortega.

Misc

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler