Intro
Welcome Dear listeners, I’m Viktor your host and as a weekly basis I will share news, articles, techniques, tools that is related to Cloud, SaaS, IaaC security. All the URLs for the news, articles and tools can be found here: https://www.buzzsprout.com/1844597 and http://blackwombat.com .
Articles
Azure AD Pass The Certificate – https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597
In this blog post Mor will provide network behaviour analysis of the new authentication mechanism between 2 Azure AD joined machines, and also explain what is Azure AD P2P certificate and how it is generated.
Automated response to C2 traffic on your devices – https://cloudbrothers.info/en/automated-response-c2-traffic-devices/
In this article Fabian will use the Feodo Tracker that contains a list of IP addresses related to malwares to show you two ways to detect and/or block connections from your MDE protected endpoints to those IP addresses.
Free Download: Hacking Kubernetes – https://control-plane.io/hackingkubernetes/
Half of the book can be freely downloaded about Kubernetes hacking.
Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel — https://docs.microsoft.com/en-us/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale
This article describes how to use the Azure Sentinel Deception (Honey Tokens) Solution to plant decoy Azure Key Vault keys and secrets, called honeytokens, into existing workloads. Use the analytics rules, watchlists, and workbooks provided by the solution to monitor access to the deployed honeytokens.
AWS IAM Privilege Escalation Techniques – https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/
A list of AWS IAM privilege escalation techniques with some description why they could be dangerous.
Evolving Zero Trust—Lessons learned and emerging trends – https://www.microsoft.com/security/blog/2021/11/03/evolving-zero-trust-lessons-learned-and-emerging-trends/
Microsoft published a new whitepaper, Evolving Zero Trust, to share the key lessons they learned by embracing Zero Trust at Microsoft and supporting thousands of organizations in their Zero Trust deployments. They also sharing the evolution of their recommended Zero Trust architecture and maturity model that has been informed by these insights.
Multi-Cloud Security Posture Management in Microsoft Defender for Cloud – https://samilamppu.com/2021/11/04/multi-cloud-security-posture-management-in-microsoft-defender-for-cloud/
This is the fourth part of the ‘Multi-Cloud Security Monitoring & Posture Management blog series, where this one focuses on ‘continuously assess’ & ‘secure’ pillars which are categorized as Cloud security posture management.
A Kubeconfig Canarytoken – https://blog.thinkst.com/2021/11/a-kubeconfig-canarytoken.html
Kubeconfig files are attractive to attackers and are already hunted for during active campaigns. With a few clicks on https://canarytokens.org they give you a kubeconfig that will alert you when it’s used. Grab a few and sprinkle them around. It’s free, and “it just works”.
Meet Ottr: A Serverless Public Key Infrastructure Framework – https://medium.com/airbnb-engineering/meet-ottr-a-serverless-public-key-infrastructure-framework-f6580010ae0c
Ottr is a serverless Public Key Infrastructure framework that handles end-to-end certificate rotations without the use of an agent. The purpose of the blog is to provide an overview on Ottr with sample reference architecture, logical and network flows, and highlight the benefits of the solution. For installation instructions, skip to the Open Source section of the article.
The Most Common Cloud Misconfigurations That Could Lead to Security Breaches – https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/the-most-common-cloud-misconfigurations-that-could-lead-to-security-breaches
Trend Micro used their Conformity data and looked at the top 10 Amazon Web Services (AWS) and Microsoft Azure services with the highest misconfiguration rates with regard to the implementation of Cloud Conformity rules.
Kubernetes API Access Security Hardening – https://goteleport.com/blog/kubernetes-api-access-security
The articles say: This post primarily focuses on recipes and best practices concerning API access control hardening in the Kubernetes cluster. If you want to implement strong authentication and authorization in the Kubernetes cluster you manage, this post is for you. Even if you use managed Kubernetes services like AWS EKS or GCP Kubernetes engine, this guide should help you understand how access control works internally, which will help you plan better for overall Kubernetes security.
The 2 limits of Google Cloud IAM – https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
The article talks about the App Engine and Private Cloud Functions and Cloud Run limitations.
Semgrep and Terraform: security scans for more infrastructure-as-code – https://r2c.dev/blog/2021/semgrep-fall-2021-updates/
Semgrep now support Terraform and its HCL language. It is already supporting Kubernetes, docker-compose, GitHub actions and AWS policies.
Two NPM Packages With 22 Million Weekly Downloads Found Backdoored – https://thehackernews.com/2021/11/two-npm-packages-with-22-million-weekly.html
Yet another instance of supply chain attack targeting open-source software repositories. Coa and rc the two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer’s accounts.
Fun with unicode – messing with output – https://raesene.github.io/blog/2021/11/06/fun-with-unicode/
Rory’s article about potential risks of RTL Unicode characters in Kubernetes manifest files.
Tools
Sentinel-Queries – https://github.com/reprise99/Sentinel-Queries
A repository containing Microsoft Sentinel queries related to M365, Azure AD, Key Vault and more.
Helm-scanner – https://github.com/bridgecrewio/helm-scanner
This is a work-in-progress codebase designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publicly available Helm charts.
If you just want to scan your own HELM Charts or Kubernetes manifests then you can use checkov.io directly if you’re not looking to collect and analyse data across thousands of public charts.
Outro
That’s all for this episode. Thank you for listening and have a secure day!