• tl;dr sec
  • Posts
  • [tl;dr sec] #299 - The Security Engineer's Guide to MCP, IAM Hound Dog, IMDS Anomaly Detection

[tl;dr sec] #299 - The Security Engineer's Guide to MCP, IAM Hound Dog, IMDS Anomaly Detection

Quickly get up to speed in MCP security, tool to identify privilege escalation in AWS, find 0days and attackers via anomalous IMDS calls

Hey there,

I hope you’ve been doing well!

🎙️ Zero Signal Podcast - AI in Cybersecurity

In Vegas this year I joined my friends Conor Sherman (Sysdig CISO in Residence) and Stuart Mitchell (Hampton North) on their new podcast, Zero Signal.

We discussed AI’s impact on penetration testing, the job pipeline, “shifting down not left” (H/T my interview with former Google Cloud CISO Phil Venables), integrating security in vibe coding, and more.

You can check it out on YouTube, Spotify, or Apple Podcast.

P.S. I’ve been working on a talk for our Semgrep offsite next week on current trends in AI + AppSec and where things are headed, which has been a lot of fun. Will share via blog, conference talk, or video sometime ☺️

Sponsor

📣 The Next Step in CloudSecOps is Here

Meet Tami—the AI CloudSecOps agent that doesn't just tell you what's broken, but actually fixes it. 

Why stop at detection? Tamnoon's AI agent goes the extra mile: it prioritizes, enriches, investigates, and delivers production-ready remediation playbooks validated by expert CloudPros. 

Trained on millions of safe executions in real environments, Tami turns your endless alert backlog into tested, permanent solutions—keeping your entire cloud infrastructure safe and compliant.

Autofixing cloud issues is pretty rad 🤩 "Trained on millions of executions,” nice.

AppSec

CTFs

Cookie Chaos: How to bypass Host and Secure cookie prefixes
Portswigger’s Zakhar Fedotkin describes how attackers can bypass browser-enforced cookie prefix protections (__Host- and __Secure-) by exploiting inconsistencies in how browsers and servers handle cookie encoding and parsing. These techniques can enable attackers to inject malicious cookies that bypass browser restrictions, potentially leading to XSS, session fixation, or privilege escalation. Burp Custom Action to test for these issues.

Two bypass techniques: using Unicode whitespace characters that browsers treat as regular characters but servers normalize away, and leveraging legacy cookie parsing behavior ($Version=1) that causes some Java-based servers to interpret a single cookie as multiple cookies.

Taming 2,500 compiler warnings with CodeQL, an OpenVPN2 case study
Trail of Bits’ Paweł Płatek and Jay Little describe how they developed a specialized CodeQL query to identify dangerous implicit integer conversions in C code, reducing OpenVPN2's 2,500+ compiler warnings to just 20 high-priority cases requiring manual review. Their approach distinguishes between benign and potentially vulnerable conversions by categorizing them based on data alteration types (truncation, reinterpretation, widening) and conversion mechanisms.

Their five-step query refinement process: start with all problematic conversions, eliminate safe constants, apply range analysis, model codebase-specific functions, and finally focusing on user-controlled inputs via taint tracking. They’ve open-sourced their query on GitHub.

antgroup/YASA-Engine
By Ant Group: YASA (Yet Another Static Analyzer) is an open source static program analysis framework built around a Unified Abstract Syntax Tree (UAST) that enables analysis across multiple programming languages.

Project components: YASA-Engine (the core analysis engine), YASA-UQL (a declarative query language compatible with CodeQL), YASA-MCP (LLM-friendly APIs), and YASA-SDK (integration tools for applications), all designed to provide field-sensitive, context-sensitive, and flow-sensitive analysis capabilities.

TIL about xAST, an open-source evaluation system for SAST/IAST/DAST tool capabilities.

Sponsor

📣 Effective Cloud Security Requires a Unified Platform

Cloud-native speed comes with cloud-sized risk. As teams spin up and down resources at record pace, security gets buried in complexity. Point solutions for prevention, posture, and response just can’t keep up. 

ESG reveals why organizations need a consolidated, integrated approach that streamlines security, reduces risk in real time, and delivers runtime protection where it matters most.

Neat, a report on cloud security wins and losses from 370 organizations, that’s a solid dataset 👍️ 

Cloud Security

VirtueSecurity/IAMhounddog
By Virtue Security’s Nathan Tucker: A tool that helps pentesters identify privileged principals and second-order privilege escalation opportunities in AWS environments by mapping relationships between IAM entities and resources. The tool generates a graph database compatible with BloodHound, revealing connections between principals, roles, policies, and AWS services (CloudFormation, EC2, ECS, EKS, Lambda, RDS, Step Functions, CodeBuild, and CodePipeline).

IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
Wiz’s Hila Ramati and Gili Tikochinski describe how they developed a data-driven methodology to detect anomalous Instance Metadata Service (IMDS) usage across cloud environments, leading to the discovery of SSRF vulnerabilities being exploited in the wild in pandoc when converting HTML to PDF, and in ClickHouse SELECT * FROM url).

The approach: establishing baseline IMDS access patterns, identifying suspicious processes with rare IMDS access, filtering by requests made to sensitive metadata paths (related to determining what permissions you have access to), and analyzing compute context.

Adding Determinism and Safety to Uber IAM Policy Changes
Uber’s Avinash Srivenkatesh, Zi Wen, and Zakir Akram describe how Uber built a Policy Simulator, allowing developers making IAM policy changes to preview the impact of the changes before deployment, to prevent outages or other errors in their complex microservices environment.

The tool works by: first fetching relevant access logs, then replaying these logs against two local authorization engines (one with current policies, one with proposed changes) to identify differences in access control results. The change author gets a report on the potential impact of the proposed policy change, who can then decide if they want to proceed.

💡 Whoa, impressive engineering. Probably overkill for most companies, but worth a read. I especially like the idea of replaying past events and comparing proposed changes vs the prior state. This can be applied in a number of domains 👌 

Supply Chain

The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
Gaetan Ferry and Guillaume Valadon describe how on September 5, 2025, GitGuardian discovered GhostAction, a supply chain attack affecting 327 GitHub users across 817 repositories through malicious workflows disguised as "Github Actions Security." Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.

💡 The malicious GitHub Action workflow is embarrassingly obviously malicious ☹️ Sometimes I feel like attackers don’t respect their craft. Sad.

How to Tamper with Releases built with GitHub Actions Workflows
Incredibly detailed GitHub repo with proof of concepts by Benedikt Haußner, based on his talk presented at fwd:cloudsec Europe 2025 (slides, video). He covers a bunch of things, but especially these 5 attack paths: 1) changing the assets of a mutable release, 2) using typosquatted third-party GitHub Actions in our workflow, 3) using a GitHub hosted runner with a container under our control, 4) employing homoglyph attacks to redirect builds to self-hosted runners, and 5) injecting malicious code via orphaned commits in the actions/checkout repository.

pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Orca’s Roi Nisimi provides an overview of the pull_request_target trigger in GitHub Actions, the risks of checking out and executing code from untrusted pull requests with privileged tokens, and some vulnerabilities they found in the wild.

In part 2, Roi gets more specific, and describes how they were able to compromise open source repositories owned by Microsoft, Google Cloud, and NVIDIA and others, demonstrating how this vulnerability class allowed them to execute reverse shells on GitHub runners, push malicious code to origin repositories, steal API keys, and access cloud resources on self-hosted runners.

They found ~1% (50 out of 5,000) repos using pull_request_target to be vulnerable, and there are >100K repos using that trigger on GitHub, so there may be thousands more vulnerable repos.

Blue Team

acquiredsecurity/forensic-timeliner
By Brad Roughan: A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline.

A Primer on Forensic Investigation of Salesforce Security Incidents
Guide by Salesforce Field CTO Eoghan Casey on investigating security incidents in Salesforce environments, focusing on three key information sources: activity logs, user permissions, and backup data, referencing various products and features (Salesforce Shield Event Monitoring, Who Sees What Explorer, Enhanced Transaction Security policies, etc.).

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Mandiant’s Sarah Yoder et al describe the BRICKSTORM malware campaign by UNC5221 (suspected China-nexus threat actors) targeting US organizations with sophisticated backdoors on network appliances that lack EDR support. The attackers maintain persistence for an average of 393 days by deploying BRICKSTORM (a Go-based backdoor with SOCKS proxy functionality) on appliances, and employing techniques like VM cloning to extract credentials while generating minimal security telemetry.

Mandiant released a scanner tool to help organizations hunt for BRICKSTORM and provides detailed hunting guidance.

💡 Wow, some impressive tradecraft here.

Red Team

0xJs/EnumEDRs
By Jony Schats: Tool written in C that enumerates EDRs running on the system by enumerating current processes and loaded drivers. Currently supports ~9 EDRs, including Microsoft Defender for Endpoint, Elastic EDR, Sysmon, BitDefender, Cortex, CrowdStrike, Sentinel, Sophos, etc.

olafhartong/BamboozlEDR
By Olaf Hartong: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. BamboozlEDR features a TUI interface and can generate realistic security events across multiple Windows ETW providers to test EDR detection capabilities, log analysis systems, and security monitoring solutions.

Your Vulnerability Scanner Might Be Your Weakest Link
Praetorian’s Adam Crosser discusses how vulnerability scanners (or asset inventory platforms, IT automation frameworks, and management tools) using privileged credentials can become security risks when using password-based authentication or insecure protocols. The post gives an example of capturing vulnerability scanner credentials by instrumenting SSH on a compromised server, without triggering Linux EDR alerts.

Example credential theft techniques: SSH service environment variable modification, process tracing (strace sshd), malicious PAM modules, and honeypot redirection, none of which triggered alerts in their testing of major Linux EDR products. Recommendations: treat scanner and automation credentials as sensitive assets, prefer key-based authentication over passwords, disable legacy protocols like NTLMv1, and validate that Linux EDR solutions provide meaningful security coverage.

AI + Security

Quicklinks

slowmist/MCP-Security-Checklist
By @SlowMist_Team: Nice high level overview and checklist covering MCP Server and Client security, secure invocation, and multi-MCP scenario security.

A Security Engineer's Guide to MCP
Great primer by Semgrep’s Kurt Boberg to quickly get you up to speed on testing and securing MCP servers and clients. Kurt covers the control flow for MCP, important terms, using MCP Inspector, key MCP vulnerability classes (tool poisoning/line jumping, tool shadowing, rug pulling, Web 2.0 issues), an overview of security-relevant parts of the MCP specification, and an MCP security evaluation cheatsheet of exactly what to look for.

💡 Love when someone reads the spec for me and points out the sharp edges 🤘 

Research Briefing: MCP Security
Wiz’s Rami McCarthy shares a nice round-up of security risks across local and remote MCP servers, open-source registries and trust signals, MCP client risks, and how to secure yourself today in safely using MCP servers (use trusted sources, audit before usage, consider sandboxing MCP servers and using an MCP gateway, …) and avoiding common AppSec vulnerabilities when creating MCPs. The post concludes with future-focused security tips and tool recommendations. All in all, tons of great supporting resources, in typical Rami fashion 😍.

First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails
Koi’s Idan Dardikman discovered that the postmark-mcp MCP server (1,500 downloads/week), which was safe and fine for 15 versions, since version 1.0.16 has been secretly BCCing all emails to the developer's personal server, potentially exfiltrating thousands of sensitive emails. There's a legitimate GitHub repo with the same name, officially maintained by Postmark, which the attacker copied, added the malicious BCC line, and published it to npm under the same name.

💡 See Trail of Bits’ mcp-context-protector and similar tools that do trust-on-first-use pinning for server instructions and tool descriptions.

AI

Quicklinks

Misc

“What you most need will be found in the place you least want to look.” - Carl Jung

Feelz

AI

Misc

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋