CloudSec Wine

🔶 Data exfiltration with native AWS S3 features A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse. https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 #aws

🔷 2023 identity security trends and solutions from Microsoft Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks. https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft #azure

🔴 Incident Response in Google Cloud: Forensic Artifacts This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization. https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts #gcp

🔶 AWS Could Do More About SSO Device Auth Phishing Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org. https://ramimac.me/aws-device-auth #aws

🔴 GoogleCloudPlatform/security-response-automation Take automated actions on your GCP Security Command Center findings, like: - Automatically create disk snapshots to enable forensic investigations. - Revoke IAM grants that violate your desired policy. - Notify other systems such as PagerDuty, Slack or email. https://github.com/GoogleCloudPlatform/security-response-automation #gcp

🔶 awslabs/iam-roles-anywhere-session This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere. https://github.com/awslabs/iam-roles-anywhere-session #aws

🔶🔴 Provisioning Kubernetes clusters on AWS/GCP with Terraform Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click. https://learnk8s.io/terraform-gke #aws #gcp

🔶 Tampering User Attributes In AWS Cognito User Pools Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with. https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html #aws

🔷 EmojiDeploy: Smile! Your Azure web service just got RCE’d A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps. https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced #azure

🔷 Azure Active Directory Flaw Allowed SAML Persistence A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application. https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence #azure

🔶 AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail. https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass #aws

🔷 Unauthenticated SSRF Vulnerability on Azure Functions How the Orca Security team uncovered an SSRF Vulnerability in the Azure Functions app, allowing any unauthenticated user to request any URL by abusing the server. https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app #azure

🔴 SSH key injection in Google Cloud Compute Engine A bug which had the impact of a single-click RCE in a victim user's Compute Engine instance. https://blog.stazot.com/ssh-key-injection-google-cloud #gcp

🔶 Cedar: A new policy language Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it. https://onecloudplease.com/blog/cedar-a-new-policy-language #aws

🔶 Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2 Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised. https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials #aws

🔶🔷🔴 Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident. https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide #aws #azure #gcp

🔶 SES-pionage What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it. https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse #aws

🔶 AWS Phishing: Four Ways Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing. https://ramimac.me/aws-phishing #aws

🔶 Taking The New Secrets Manager Lambda Extension For a Spin Aquia’s Dakota Riley compares the performance of the Secrets Manager Lambda Extension vs using the SDK directly for secrets retrieval. https://blog.aquia.us/blog/2023-01-01-secrets-manager-lambda-extension #aws

🔶 Cloud penetration testing: Not your typical internal penetration test A funny post where the author shares the stages of ignorance and awareness they encountered, so to help others progress through the early stages more quickly than they did. https://sethsec.blogspot.com/2022/12/cloud-penetration-testing-not-your.html?m=1 #aws