Need to get code execution on thousands of cloud customers? What about on internal AWS systems? Datadog Security Research found that a number of tools, including one published by AWS, are susceptible to name confusion attacks, leading to arbitrary execution in vulnerable environments!
https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/
An interesting post on Datadog's security lab about an attacker which tries to use #Kubernetes and #Docker APIs to move.
what caught my eye is that the attacker is trying to use the Kubelet API, which might be an attempt to evade Kubernetes audit logging as that doesn't apply there...
CloudFox v.1.13.0 is out with 2 new AWS commands and a bunch of updates.
* The new workloads command looks at EC2, Lambda, and ECS and highlights any workload that has an admin role attached, as well as any role that can privesc to admin!
* The new api-gws command contributed by Wyatt Dahlenburg finds all API gw endpoints and crafts custom curl commands for you with any API keys found in the endpoint metadata)
* The env-vars command has been upgraded to help you find secrets stored in environment variables. It highlights interesting variable names and creates a separate output file with just the interesting items.
* The role-trusts command has been upgraded to help you find overly permissive role trusts, particularly those that trust :root, without an ExternalID.
“Recently, one of our pen testers found a bastion host during an #Azure assumed-breach #pentest. We were given the credentials of an employee within Azure Active Directory. The pen tester was able to log into SSH with Azure #ActiveDirectory credentials. So, he got onto the bastion host, which was a #Linux box. One of the users on that box made their home directory world readable for everyone. He rifled through that user’s directory and found credentials for Snowflake, a third-party database service. He used those credentials to connect to the 3rd-party provider and gained access to production #data.” - @sethsec on a recent episode of the Cloud Security Podcast.
Last week, we highlighted a recent @cloudsecpod episode featuring @sethsec. This week, we’re focusing on another episode where Seth walks through the distinctions of #network #pentesting.
Check out the recap at our blog. https://bfx.social/3sr7t2i
Get a crash course into the world of #AWS cloud security in this interview with @sethsec and @hashishrajan of @cloudsecpod.
Expect insights into the differences between #cloud penetration testing and other forms of #penetrationtesting, how to ensure AWS cloud #pentesting is effective, and more.
You already know #CloudFox, now meet CloudFoxable created by Bishop Fox Cloud Security Practice Lead @sethsec! This tool is an intentionally vulnerable #AWS environment created to teach the art of AWS #Cloud #pentesting while showcasing CloudFox’s capabilities that can help you locate latent attack paths more effectively. Give it a go and let us know what you think!
CloudFox v1.11.0 Released
📣AWS
New Commands:
- 🦊 resource-trusts
- 🦊 org
- 🦊 codebuild
- 🦊 databases
Updates:
- Default output location changed to ~/.cloudfox/
- Bug fixes for permissions command
- Added function caching to speed things up
Nick Frichette
Rory McCune
Bishop Fox
