• tl;dr sec
  • Posts
  • [tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain

[tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain

Using Kubernetes + OPA, Twitter SAST snark & lessons learned, malware discovered on GitHub targeting the open source supply chain.

Hey there,

I hope you’re safe and healthy! Phew, a lot has happened since last week 😅

Oof, Current Events

I live in the Bay Area, and this past weekend I fell asleep to the sound of police sirens and helicopters. Though I’ve been very fortunate to be safe, there are many who have not been so lucky. A number of businesses within a short walking distance away have been looted and have since been boarded up for the time being.

Since the death of George Floyd, I’ve been heartened to see thousands of people across many cities protest the injustices many Americans face on a regular basis, and have for a long time. I’ve been saddened to see opportunists use the ongoing protests as cover to be violent and cause destruction.

Stay safe out there!

📜 In this newsletter...

🔗 Links:

  • AppSec: Tool to brute-force Java RMI interfaces for code exec, game security overview, OWASP's list of static analysis tools, a code-aware grep tool, Twitter SAST snark

  • Cloud Security: Integrating AWS Security Hub with Chatbot and Slack, log all AWS API calls with Client Side Monitoring

  • Kubernetes: Using Gatekeeper in Kubernetes, Pod Security Policies with OPA, using Vault with Kubernetes

  • Container Security: Tool to diff containers, tool to slim containers

  • Blue Team: Linux security hardening, Mozilla's SSL config generator, steps to determine if an attacker is persisting using kernel-mode drivers or firmware implants, GitHub's analysis of an open source supply chain attack targeting NetBeans users

  • Red Team: Script to perform local Linux enumeration and privilege escalation checks, IDA plugin to uses DynamoRIO for instrumentation, exfiltrate data via macOS calendar alerts, Golang CLI tool to search GTFOBins and LOLBAS, an Android post-exploitation framework

  • Privacy: A Chinese province wants to label citizens based on their health data, governments introducing surveillance under the veil of coronavirus control

  • Politics: A discussion about economy changes + automation + the continuing rise of inequality, history blurb on the Black Panthers and the FBI's counter-intelligence program, research-based solutions to stop police violence

  • OSINT: Katas for learning Shodan basics

  • Misc: Pimp your terminal, Magic the Gathering is Turing Complete, tips on adopting habits to be more productive


RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution
Tool by Bishop Fox’s Jake Miller: “RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities.” source 

Game Security
A high level overview of the cheat and anti-cheat mechanisms in video games.

Source Code Analysis Tools
OWASP’s list of static analysis tools.

Semgrep: Stop grepping code
“Semgrep is an open-source tool that is like a code-aware grep: you can easily match all calls to a certain function, match all specific function arguments regardless of order, or find all cases where a call like A() occurs after B().”

SAST Snark on Twitter
There were some interesting threads on Twitter about challenges people have faced with many modern SAST tools. Some snippets:

Cloud Security

Enabling AWS Security Hub integration with AWS Chatbot
“In this post, we show you how to configure AWS Chatbot to send findings from AWS Security Hub to Slack. AWS Chatbot is an interactive agent that makes it easy to monitor and interact with your AWS resources in your Slack channels and Amazon Chime chat rooms.”

Client Side Monitoring
Scott Piper gives us the heads up on an AWS SDK feature that appears mostly undocumented outside of the SDK source code. By setting an environment variable, all AWS API calls will be recorded. “According to the docs, this feature is ‘available only to customers with an Enterprise Support subscription.’ This article will discuss what this is and how we can use aspects of it without a fancy support contract.”


Using Gatekeeper in Kubernetes
Gatekeeper” allows a Kubernetes administrator to implement policies for ensuring compliance and best practices in their cluster. It makes use of Open Policy Agent (OPA) and is a validating admission controller. The policies are written in the Rego language. Gatekeeper embraces Kubernetes native concepts such as Custom Resource Definitions (CRDs) and hence the policies are managed as kubernetes resources.”

Kubernetes Pod Security Policies with Open Policy Agent
“First I will discuss the Pod Security Policy admission controller. Then we will see how Open Policy Agent can implement Pod Security Policies.”

“Admission Controllers are part of the kube-apiserver. They intercept requests to the Kubernetes API server before configuration is stored in cluster settings (etcd). An admission controller can be validating (one which validates the incoming request) or mutating (one which modifies the incoming request) or both.”

Kubernetes OPA Admission Control Flow

Vault Consul Cluster

Container Security

A tool for analyzing and comparing container images along criteria including: Docker image history, image filesystem and size, as well as apt, rpm, pip, and npm packages.

“docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don’t need, reducing the attack surface of your container.” In some cases, up to a 30x slim down, whoa.

Blue Team

Linux Security Hardening and Other Tweaks
By @blakkheim: Full disk encryption, ensure your package manager uses only HTTPS mirrors, hardened kernel options, firewall, sudo, application sandboxing, etc.

Mozilla SSL Configuration Generator
Nifty web app that lets you select your server software (Apache, Golang, nginx, …), how strict you want to be about cipher suites and a few other options, and then it’ll generate a config for you. Nice!

Hardware Root of Trust — Bios and UEFI
“This article explains modern and antiquated protections which attempt to prevent attackers who have already achieved root level access from persisting via kernel-mode drivers or firmware implants. Much of the information comes from the excellent Rootkits and Bootkits book.”

“It provides a series of test steps which allow security engineers to determine what attack vectors are available to an attacker who is looking to persist their root level privileges beyond the capabilities provided by user-mode exploits.”

The Octopus Scanner Malware: Attacking the open source supply chain
Interesting deep dive by the GitHub SIRT team: they discovered “malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself. We uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code.”

Basically, the Octopus Scanners determines if the infected machine uses NetBeans, and if so, infects every JAR file built by any project. The dropper ensures local persistence and connects to the attacker’s C2 servers. The malware also infected any JAR files that were available in the project, such as dependencies—not necessarily just build artifacts.

We found four different versions of infected NetBeans projects and all but one of them, a downstream system (for example, someone who cloned an infected project), would get infected by either building from an infected repository or using any of the tainted artifacts that resulted from an infected build.

I feel like this is one of the first “interesting” attacks on open source I’ve seen. Previous instances were pretty simple and didn’t do anything neat to hide or spread. Honestly I’m surprised it’s taking this long for OSS supply chain attacks to ramp up, but maybe there’s already clever stuff out there we just don’t know about 🤔

Red Team

Script that performs a number of local Linux enumeration and privilege escalation checks. Gathers system info, info about current users (user lists, password policies, who has access to sudo, …), examines current (cron) jobs and services, finds SUID/GUID files, etc.

IDA Plugin: Dynamic Data Resolver (DDR)
Cisco Talos is releasing the 1.0 beta version of an IDA that makes reverse-engineering malware easier by using instrumentation techniques (DynamoRIO) to resolve dynamic values at runtime from the sample.

Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data
By NCC Group’s Andy Grant: “Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s machine, all the victim has to do is click on the invite.”

Golang CLI tool for searching GTFOBins (a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions) and LOLBAS (“living off the land binaries and scripts”).

“Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device. Ghost Framework gives you the power and convenience of remote Android device administration.” It can be used to remotely remove the passcode of an Android device if it has been forgotten as well as access the remote Android device shell without using OpenSSH or other protocols.

Entynetproject appears to also have post-exploitation frameworks for Linux, PHP, iOS/macOS, and Windows


Chinese Province Wants to Label Citizens by Their Health Rating Using Data on Their Sleep, Eating, and Exercising
“The Chinese province of Hangzhou has proposed that authorities assign a permanent health rating to its residents, which would be based on people’s medical records and lifestyle habits. Hangzhou’s health authority explained that, when making the rating, it would consider indicators such as people’s eating and drinking habits, whether they smoke and drink alcohol, how much they exercised, and how much they slept the night before. If approved, both residents and companies of Hangzhou will have colored health grades, with a score from 0 to 100.” Catch up, Black Mirror writers!

Safety Over Freedom: How Governments Introduce Surveillance Under Veil of Coronavirus Control
Nice overview of government surveillance under coronavirus. Also, check out this interactive map by a Russian non-profit showing the extent to which the governments of particular countries violate people’s privacy.


Concise Argument and Evidence That Steven Pinker is Wrong About How Good Things Are
For the past few years, I’ve been thinking a lot about how the U.S. and other economies have been changing. In short, I think advances in automation, AI, and robotics, are and will continue to eliminate broad swathes of former middle class jobs. Inequality will continue to rise, which will stoke tensions and lead to serious turmoil (or more) unless addressed. People whose jobs have been automated won’t just suddenly become machine learning experts or other knowledge workers without support and training. One reason I liked Andrew Yang is because he seemed to be one of the few politicians who grokked this massive oncoming (/ongoing) train wreck and was actively talking about it. I was glad to see this article by Daniel Miessler, which lays out the reasoning behind this concern clearly and concisely. I wish more people were talking about this.

The Black Panthers and the FBI’s Counter-Intelligence Program 
Tweet thread history lesson about how J. Edgar Hoover’s FBI had a secret project designed to spy on, infiltrate, and discredit every progressive activist movement, with a particular emphasis on African American civil rights leaders, especially the Black Panthers.

There’s also a booklet with more details, but the crazy thing is that the only reason we know this program existed is that in 1971 a group of white activists broke into an FBI field office in Pennsylvania, stole a bunch of documents and revealed the existence of the then-secret COINTELPRO operation to the public.

Research-based solutions to Stop Police Violence
Interesting Twitter thread on studies about what actually decreases police violence in practice. Some of the results may surprise you.

Also, uhhh what:

50 cities and 15 states restrict interrogations by limiting how long an officer can be interrogated, who can interrogate them, the types of questions that can be asked, and when an interrogation can take place.

41 cities and 11 states give officers under investigation access to information that civilians suspects don’t get, including 16 cities that allow officers to review all evidence against them prior to being interrogated.

“Here’s everything we know so uhh, what happened again?”

64 cities and 10 states limit disciplinary consequences for officers, for example by preventing an officer’s history of past misconduct from being considered in future cases, and/or limit the capacity of civilian oversight structures or the media to hold police accountable.

43 cities and 4 states erase records of misconduct, in some cases erasing records after 2 years or less.


Katas for learning the basics of Shodan search.


Pimp My Terminal
Some tips and tricks for building an awesome terminal UX - color schemes (e.g. gogh), useful aliases, lsd as a better ls, bat as a better cat, customizing bash/zsh prompts, zsh-autosuggestions, and more.

Magic: The Gathering is Turing Complete
An academic paper proving that there is still good in this world, or, at least people with a bit too much free time 🤘

Magic: The Gathering is a popular and famously complicated trading card game about magical combat. In this paper we show that optimal play in real-world Magic is at least as hard as the Halting Problem, solving a problem that has been open for a decade. To do this, we present a methodology for embedding an arbitrary Turing machine into a game of Magic such that the first player is guaranteed to win the game if and only if the Turing machine halts. Our result applies to how real Magic is played, can be achieved using standard-size tournament-legal decks, and does not rely on stochasticity or hidden information.

How a Lazy Bitch like me learned to be Productive
Getting yourself to do something beyond your routine is really hard, and we can only do so much of that per day. The key is good habits, which, if you’re interested in, you should absolutely read James Clear’s book Atomic Habits, which is excellent. Here are Madison’s three rules:

  1. I only make one or two habits each month.

  2. I do them in small quantities every single day the first month- I never push it too hard during the first 30 days, but I also do it every single day, no matter how I feel.

  3. I never go over my goal for the first month. So if my goal is to write for an hour daily I don’t let myself go over one hour/day for the first month. This is to give my brain some peace of mind; if I set consistent expectations with it, then even on the days when I don’t want to do my new habit, my brain knows there’s a set end time/amount that I won’t go over, and it reluctantly agrees.

By adding a couple high-quality new habits each month, in 6 months I’m virtually unrecognizable.

✉️ Wrapping Up’

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them


Thanks for reading!