CloudSec Wine

🔶 AWS Lambda: function URL is live! AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them. https://lumigo.io/blog/aws-lambda-function-url-is-live #aws

🔶 Incident report: From CLI to console, chasing an attacker in AWS How the Expel team detected and stopped an unauthorized access in one AWS environment. https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws #aws

🔶 Denonia: The First Malware Specifically Targeting Lambda The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls. https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda #aws

🔷 Azure Active Directory Exposes Internal Information The first issue allows anyone to query the directory synchronization status. The second issue could reveal internal information about the target Azure AD tenant, including the technical contact's full name and phone number. https://www.secureworks.com/research/azure-active-directory-exposes-internal-information #azure

🔶🔷🔴 The Expansion of Malware to the Cloud Overview of key threats for cloud environments, with a focus on Linux malware, database malware, malicious cryptomining code, and ransomware https://orca.security/resources/blog/cloud-linux-database-ransomware-cryptomining-malware #aws #azure #gcp

🔶 Codify your best practices using service control policies Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected. https://aws.amazon.com/ru/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1 #aws

🔶 Access Undenied on AWS Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here. https://ermetic.com/blog/aws/access-undenied-on-aws #aws

🔴 New Privilege Escalation Techniques that Might Compromise Your Google Cloud Platform Some common attack techniques that an attacker can use to exploit your Google Cloud Platform (GCP) environment, gain permissions, and steal information via services like Dataproc, Dataflow, and Composer. https://medium.com/xm-cyber/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform-3b0ca78e6b6b #gcp

🔷 Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365 Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs. https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365 #azure

🔶 Automated Incident Response and Forensics Framework A framework which aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper. https://github.com/awslabs/aws-automated-incident-response-and-forensics #aws

🔶🔷🔴 What to look for when reviewing a company's infrastructure A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components. https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review #aws #azure #gcp

🔷 Azure Dominance Paths A comprehensive map of Azure and Azure AD attack paths. https://cloudbrothers.info/en/azure-dominance-paths #azure

🔴 Google Cloud Storage Explorer: Enumerating Google Cloud’s Bucket Access Permissions The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data. https://orca.security/resources/blog/google-cloud-platform-storage-explorer #gcp

🔶 Fantastic AWS Hacks and Where to Find Them Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap. https://docs.google.com/presentation/d/1WIg9Zctp7emuEgnehArUEwvkHSpC6JOi7ojejMX6L_s/edit#slide=id.g118f683adf8_0_43 #aws

🔷 A goat in the boat: a look at how Defender for Containers protects your clusters Article exploring and testing Defender for Containers against a vulnerable environment and see what it can detect or prevent. https://guillaumeben.xyz/defender-containers.html #azure

🔶 aws | ClickOops A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts. https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3 #aws

🔷 Abusing Azure Hybrid Workers for Privilege Escalation - Part 1 Azure Hybrid Workers can be configured to use Automation Account "Run as" accounts, which can expose the credentials to anyone with local administrator access to the Hybrid Worker. Since "Run as" accounts are typically subscription contributors, this can lead to privilege escalation from multiple Azure Role-Based Access Control (RBAC) roles. https://www.netspi.com/blog/technical/cloud-penetration-testing/abusing-azure-hybrid-workers-for-privilege-escalation #azure

🔶 Why Step Functions is the Best AWS Service You Are Not Using Using Serverless AWS Step Functions To Accelerate FedRAMP Moderate ATO. https://itnext.io/why-step-functions-is-the-best-aws-service-you-are-not-using-4f3c133d7d0d #aws

🔷 Abusing Family Refresh Tokens for Unauthorized Access and Persistence in Azure Active Directory Undocumented functionality in Azure Active Directory allows a group of Microsoft OAuth client applications to obtain special "family refresh tokens", which can be redeemed for bearer tokens as any other client in the family. https://github.com/secureworks/family-of-client-ids-research #azure

🔷 Escalating from Logic App Contributor to Root Owner in Azure Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload. https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-logic-app-contributor-escalation-to-root-owner #azure