drone1d ago
Viss

read this and try to tell me cloud wasnt a mistake

https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/

8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur

Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe

watchTowr Labs
Mar 20 at 10:50pmWeb
Show threadPaul_IPv61d ago

@Viss

this reminds me of the brewhaha when a military base overseas had someone just selling old hard drives in the bazaar without doing a proper wipe/degauss...

s3 has just made automating that by not doing the right thing easy.

sigh...

Show threadLightfighter1d ago
@Viss JFC. The Corp I work for is currently moving to cloud. 4k-ish servers. Why? Who the fuck knows. It's a clusterfuck doing the move, and shit will get missed and we will be compromised. But, as long as the checks clear...
Show threadViss1d ago
@Lightfighter want help?
Show threadLightfighter1d ago
@Viss I'm way too small a tail to wag a Fortune 200 dog. And we are half way through the transition. Just a very different world than I'm used to.
Show threadViss1d ago
@Lightfighter it was worth a shot :D
Show threadLightfighter1d ago
@Viss I appreciate it. Just bitching. It's a mess of on-prem, Azure Entra, GCP hosting. I'm on the AD team, but the Entra and GCP IAM teams are doing their own things. And we just recovered from a ransomware attack last year, but haven't remediated everything yet because everyone is busy with move to cloud.
Show threadViss1d ago
@Lightfighter i guess one tip would be to get all the hostnames for all your stuff and make sure none of that shit is publicly listening on 389. a couple years ago i got up on stage at hackcon in oslo and ran some ps1 that swept the entire ms .no datacenter space and tickled entra. i got usernames, groups, printers, etc.. which is 'below default security for entra', meaning people disabled default shit.
Show threadCityhallin1d ago
@Viss @Lightfighter One of my past client's move to Azure was so poorly planned, they were speed running YouTube tutorials from randos in order to hit unrealistic deadlines. I don't think ButtSniffer69's videos are of enterprise quality.
Show threadLightfighter1d ago
@Viss I'm monitoring what the cowboys in Entra are doing. Working on pulling the GCP audit logs. I'm going from contracted LogRhthm sme to IAM team member in charge of certs and pki and tech lead for the AD SysAdmins. No network diagrams, SNow as the inventory(nearly worthless), so I have my work cut out for me. On the positive side, there are some great people trying to make things right.
Show threadViss1d ago
@Lightfighter youre gonna be busy :D
Show threadLightfighter1d ago
@Viss These days, as long as I'm employed, I'm good.
Show threadMoe Lassus1d ago
@Lightfighter @Viss I helped a very large US telco move to the cloud a few years back. 10s of thousands of VMs as well as native cloud workloads. They always knew better than us. They mistook bureaucracy for governance and they had a rude awakening. Unfortunately most companies don’t move to the cloud because it’s better or cheaper but that it supports their CapEx/OpEx initiatives. Any problems will be for the next CEO to fix. Sales teams have that playbook down solid!
Show threadjwz1d ago
@Viss This is great stuff. Two things that I don't understand -- maybe they said and I missed it...
- How did they get the list of deleted bucket names to attack?
- Why does Amazon even make it possible to re-register a deleted bucket? These URLs aren't valuable/rare real estate like domain names.
Show threadViss1d ago

@jwz they intentionally didnt say because if they did there would immediately be copycats doing terrible things. they mentioned that they wrote a custom tool called 'kidwithafork' and basically lampshade that and move on immediately

and amazon does a ton of weird shit. last i heard how their cloudfront waf works, its just some python glue and nabbing some random ip blocklists. my colo network landed on one somehow and i had to chase it down. swooping s3 bucket names has been a thing for a while

Show threadMoe Lassus1d ago
@Viss I can’t believe I read that whole thing. It just kept going! I don’t know what to think coming out of that. I’m thinking this whole computer thing was a mistake. 😆
Show threadPhil1d ago
@Viss Goddammit.