🧏 Recently Overheard

It’s late so you must forgive me for the brief intro. Some recent snippets from my life:

Eating dinner, and overhearing from a nearby table: “…yeah Space X… Daddy Musk…”

By Dolores Park, someone tried to give me a flyer and said, “Help keep AI from taking all of our jobs?”

To which I replied, “BrO hAvE you SEEN o3’s benchmarks and embraced t3h AGenTiC RevoLuTioN!?1101!”

You know, normal #PeakBayArea stuff 😂 

Sponsor

📣 How to Conduct a GenAI Risk Assessment

While most orgs have moved from panic to practicality when it comes to GenAI use, new tools like DeepSeek raise fresh concerns about AI governance and risk mitigation. View this guide to learn how to: 

• Discover the AI tools in use in your org 

• Conduct security reviews for AI vendors 

• Determine where AI tools are connected to other apps

• Educate your workforce on safe and compliant AI use

👉 Get the Guide 👈

AppSec

Tib3rius/Turbo-Intruder-Scripts
A collection of Turbo Intruder scripts by Tib3rius that emulate the 4 main attack types in Burp Intruder: Sniper, Battering ram, Pitchfork, and Cluster bomb.

VSCode’s SSH agent is bananas
Fly.io’s Thomas Ptacek describes how unlike Emacs’ Tramp, which uses existing tools on the remote system when doing a remote editing session, VSCode deploys a fully Node.js-based agent that establishes a WebSockets connection back to your running VSCode front-end that’s capable of file system manipulation, arbitrary file editing, launching shell processes, and self-persistence. “I would be a little nervous about letting people VSCode-remote-edit stuff on dev servers, and apoplectic if that happened during an incident on something in production.”

Doing More in AppSec by Doing Less
BSides Knoxville talk by my bud John Heasman gives an opinionated overview of tips, strengths, and challenges of aspects of building an application inventory, training, threat modeling, SAST, DAST, bug bounty, etc. “If everything is a priority, nothing is a priority.” I really like his proposed True Positive Process of prioritization.

1. Take true positives obtained via pen tests, bug bounty, ad hoc testing, etc.

2. Determine the root cause - Partner with engineering to really understand it.

3. Abstract to an Anti Pattern - What are the characteristics?

4. Prioritize (Systemic or Ad-Hoc) - How widespread is it? Don’t play whack-a-mole.

5. Fix

6. Future proof with countermeasures - Eliminate this class of vulns forever.

Sponsor

📣 Identity Threat Detection & Response Solution Guide

Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally across an environment. Download this comprehensive ITDR Solutions Guide to learn: 

• The most common Identity Threat Detection and Response use cases and recent identity-based breaches  

• How identity-based attacks are commonly orchestrated against environments

• Pillars of an effective ITDR solution, questions an effective ITDR solution should answer and a comprehensive RFP template

👉 Download 👈

Cloud Security

aws-samples/resource-control-policy-examples
Example AWS Resource control policies to get started or mature your usage of AWS RCPs.

iKnowJavaScript/terraform-aws-vulne-soldier
By Victor Omolayo: A Terraform module consists of the configuration for automating the remediation of AWS EC2 vulnerabilities using AWS Inspector findings. It creates an SSM document to define the remediation steps, sets up a Lambda function to execute the remediation, and establishes CloudWatch event rules to trigger the process based on AWS Inspector findings.

How Adversaries Exploit Unmonitored Cloud Regions to Evade Detection
Permiso Security describes how attackers can abuse unused cloud regions to evade detection in AWS, Azure, and GCP, listing specific CLI commands and permissions attackers use to enumerate and enable unused regions, then exploit them for malicious activities like cryptomining, data exfiltration, and C2. You can restrict region usage via SCPs or IAM policies in AWS, via Azure Policies (AllowedLocations) in Azure, or organization policies (constraints/gcp.resourceLocations) in GCP.

Find Hidden AWS Resources With Effective Wordlists
Plerion’s Daniel Grzelak describes a process for enumerating AWS resources in target accounts without internal access, focusing on services with specific preconditions (resource names are not globally unique, addressed by user supplied name, can be checked for existence outside the account) like IAM principals and SQS queues. Daniel lists a 5-step process for building effective wordlists, and links at the bottom to open source wordlists for IAM principals, SQS queues, and S3 buckets, updated weekly.

Supply Chain

Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
Socket’s Kirill Boychenko describes finding a malicious typosquat Golang package. The interesting part is that after the malware was cached by the Go Module Mirror, which the Go CLI toolchain downloads from, the git tag was strategically altered on GitHub to point to a clean, legitimate version, hiding it from manual code review. But Go module versions are immutable (for reproducible builds), so the malicious version continued to be served. Sneaky!

The biggest supply chain attacks in 2024
Article by Kaspersky that describes 12 major supply-chain attacks in 2024, including: malicious npm packages stealing SSH keys, an abandoned PyPi package was hijacked, research on how deleted PyPI projects can be hijacked, the XZ Utils backdoor, malicious Visual Studio projects spread malware on GitHub, the polyfill CDN serving malicious code, trojanized jQuery, the Lottie-Player cryptodrainer, and more.

8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
watchTowr’s Benjamin Harris, Aliz Hammond, and Pinaki Mondal discovered ~150 abandoned Amazon S3 buckets previously used by major organizations and open source projects for software distribution and infrastructure deployment and registered those buckets. They received over 8 million requests in 2 months for software updates, unsigned binaries, VM images, and configuration files from government, military, Fortune 500, and other sensitive networks.

💡 watchTowr’s blog is an excellent (scary? sad?) example of how a small team, with a moderate amount of effort and $400, can compromise like… lots of important things 😅 Also, love the memes and snark 😂 

Blue Team

LOLC2
By @mthcht: A collection of command and control (C2) frameworks that leverage legitimate services to evade detection.

BADGUIDS/badguids.github.io
By @mthcht: A collection of bad GUID strings used by offensive tools, useful for fingerprinting.

LOTTunnels: Living Off The Tunnels
A project by Kamran Saifullah and Syed Daim Nusrati that documents digital tunnels which can be abused by threat actors as well by insiders for data exfiltrations, persistence, shell access, etc.

Linux Detection Engineering - A Continuation on Persistence Mechanisms
Elastic’s Ruben Groenewoud discusses advanced Linux persistence techniques, including dynamic linker hijacking via LD_PRELOAD, kernel module backdoors, web shells, and abusing system accounts for SSH access. The article demonstrates how to implement these using PANIX, a custom Linux persistence tool, and provides detection strategies using Elastic rules, ES|QL, and OSQuery.

Red Team

Ghidra 11.3 released: New features, performance improvements, bug fixes
What’s new: updated Visual Studio Code integration, the PyGhidra Python library for accessing Ghidra’s API, a JIT-accelerated p-code emulator, improved kernel debugging support, new layout options for the Function Graph, new source file mapping capabilities, expanded processor support, and adds full-text search across decompiled functions.

Build Your Own Offensive Security Lab A Step-by-Step Guide with Ludus
ING’s Ahmed Sherif walks through setting up a red team lab using Ludus, focusing on creating an Active Directory environment with GOAD (Game of Active Directory) and integrating it with Wazuh XDR/SIEM.

SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack
SpecterOps’ Daniel Mayer has updated SlackPirate, a tool for extracting data from Slack workspaces, to work with current Slack authentication methods. The tool now uses both cookies and API tokens extracted from memory using a Beacon Object File (BOF). SlackPirate can pull messages, user lists, files, and other Slack data, which can then be analyzed by tools like Nemesis to find credentials and other sensitive information.

💡 Includes some nice details about debugging/examining Electron (e.g. Slack) apps.

AI + Security

aws-samples/well-architected-iac-analyzer
A React web app leveraging Amazon Bedrock to evaluate AWS CloudFormation and Terraform templates against AWS Well-Architected best practices, offering insights and improvement suggestions. It supports architecture diagram uploads, generating IaC templates, and more.

For more on using LLMs to generate Terraform, see Naman Sogani’s post AWS Security Guardrails & Terraform.

Revolutionizing software testing: Introducing LLM-powered bug catchers
Christopher Foster et al describe Meta’s Automated Compliance Hardening (ACH) tool, which hardens platforms against regressions by generating undetected faults (mutants) in source code that are specific to a given area of concern (e.g. privacy) and using those same mutants to generate tests (paper).

💡 We’ve seen Google and others use LLMs’ ability to generate code to improving fuzzing efforts, it’s neat to see other applications like targeting specific undesired behavior. Very cool.

Applying Generative AI for CVE Analysis at an Enterprise Scale
NVIDIA’s Bartley Richardson et al describe an AI-powered workflow called "Agent Morpheus" that automates CVE analysis and exploitability assessment. The system uses RAG (multiple vulnerability databases and threat intelligence sources, the project’s source code, SBOM, docs, Internet search) with four fine-tuned Llama3 LLMs, AI agents, and tools to autonomously investigate CVEs, determine exploitability, and generate VEX documents.

Agent Morpheus integrates with container registries and security tools to automate the process from container upload to VEX document creation.

Misc

• Alex Hormozi - Everything Has a Price Tag

• Chris Williamson - How To Fix Your Negative Patterns - Alain de Botton - Excellent 👍️ 

• David Brooks on learning about your emotions as an overly analytical person

• Joey Kidney - To Anyone Going Through A Breakup

• The year I didn't survive 😭 

• How Two Startup CEOs Found Love | Tara Viswanathan & Alex Modon

• The Onion - Perfect One-Pot, Six-Pan, 10-Wok, 25-Baking Sheet Dinner

• Acquisition.com Workshop Review: 15 Takeaways To Scale Your Business

• Jeremiah Grossman - Startup Valuation Trap: Why Some InfoSec Companies Are Doomed from Day 1

• Tiago Forte’s 2024 Year-in-Review

• I Tasted Honda's Spicy Rodent-Repelling Tape

• A DOOM®-based CAPTCHA by Vercel CEO Guillermo Rauch - Kill 3 monsters to proceed 😂 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler