Release Date: 29/09/2024 | Issue: 257
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Join Permiso Security and IDSA on October 16th for a webinar to discuss How LUCR-3 (Scattered Spider) Orchestrates Identity-Based Attacks Across Environments
In this webinar, Ian Ahl, SVP of P0 Labs at Permiso, shares his point of view on the advanced threat actors that are compromising the identity infrastructure of some of the largest organizations in the world with ease. Upon gaining access to the identity provider, they are able to move laterally into Iaas, PaaS, and SaaS environments and steal data – all in the course of 2-3 days.

This week's articles


Securing Your Contingent Workers With Zero Trust
How to secure your contingent workers with modern workforce security practices.   #defend   #iam   #strategy


A few notes on AWS Nitro Enclaves: Attack surface
Trail of Bits have scrutinized the attack surface of AWS Nitro Enclaves, uncovering potential bugs that could compromise even these hardened environments.   #attack   #aws


Hacking misconfigured Cloudflare R2 buckets: a complete guide
Post covering the most common security misconfigurations in Cloudflare R2 buckets that developers often make.   #attack   #cloudflare


Gaining AWS Persistence by Updating a SAML Identity Provider
If an attacker has permissions to replace the metadata, they can add a metadata document from an IdP they control. After doing this, they'll be able to assume the roles that trust this identity provider.   #attack   #aws   #iam


Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs
Strategies for tracking and defending against malicious activity and threats in the cloud using atomic indicators of compromise (IOCs).   #defend   #monitor


CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
Tenable Research discovered a remote code execution (RCE) vulnerability in GCP that could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool.   #attack   #gcp   #supply-chain


Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz
Palo Alto has been monitoring a widely popular phishing-as-a-service (PhaaS) platform named Sniper Dz that primarily targets popular social media platforms and online services.   #attack   #saas


Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale
Analyzing a campaign where a threat actor leveraged Docker Swam and Kubernetes to mine cryptocurrency.   #attack   #containers   #kubernetes


Backdooring Azure Automation Account Packages and Runtime Environments
This article explores techniques for backdooring Azure Automation Account packages and runtime environments. It covers creating malicious packages, exploiting package dependencies, and manipulating runtime environments to gain persistent access and execute arbitrary code within Azure Automation Accounts.   #attack   #azure

Level Up Your Cloud Security Career

Ready to boost your Cloud Security career?
📙 The CloudSec Engineer gives you actionable, no-nonsense advice from my own personal experience.
Whether you’re breaking into the field, moving to senior levels, or eyeing leadership roles, you’ll find practical tips to guide your path. Get the knowledge you need—plus bonus tools to organize your learning, interviews, and more.
Checkout the book

Tools


cloud-init
Cloud-init is the industry standard multi-distribution method for cross-platform cloud instance initialization.


CloudShovel
A tool for scanning public or private AMIs for sensitive files and secrets.


entra-id-terraform
Examples of various Entra ID scenarios in Terraform.


pipreqs
Generate pip requirements.txt file based on imports of any project.

From the cloud providers


#AWS   Managing identity source transition for AWS IAM Identity Center
Post walking through the process of switching from one identity source to another and provides sample code that you can use to assist with the transition.


#AWS   AWS CloudTrail launches network activity events for VPC endpoints
With network activity events for VPC endpoints, you can view details of who is accessing resources within your network giving you greater ability to identify and respond to malicious or unauthorized actions in your data perimeter.


#GCP   Autokey overview
Cloud KMS Autokey simplifies creating and using customer-managed encryption keys (CMEKs) by automating provisioning and assignment.


#GCP   How to get started with automatic password rotation on Google Cloud
Google released a generic design to automate password rotation on Google Cloud.


#GCP   How to prevent account takeovers with new certificate-based access
Google announced the general availability of certificate-based access in their Identity and Access Management portfolio.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini