Release Date: 29/09/2019 | Issue: 5
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Container Runtime Security Bypasses on Falco
A blog post describing some of the nuances of auditing Falco during security assessments, and demonstrating how to think through some bypasses. The post goes through common approaches taken while auditing runtime security tools, and, as bonus points, even provide a couple of bypasses (for terminal alert, sensitive volume alert, and privileged container alert).

The Path Less Traveled: Abusing Kubernetes Defaults
Slides from the talk @iancoldwater and @mauilion presented at Black Hat USA 2019. Takeaway: 'check your assumptions, neither kubernetes nor the apps deployed on it are secure by default'.

Azure Sentinel is now GA
Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available. It is also interesting to read design considerations related to Sentinel.

Container Image Squatting in a Multi-Registry World
Another interesting piece of research by @raesene, this time on attackers squatting on common Docker Hub accounts to try and trick users into pulling malicious images. A process made somewhat easier by the fact that you can register organization names on Some mitigations are provided if youโ€™re planning to adopt podman.

Abusing VPC Traffic Mirroring in AWS
PoC script by @rhinosecurity that uses AWS VPC Traffic Mirroring to mirror and exfiltrate network traffic in AWS VPCs. Malicious VPC traffic mirroring can be extremely impactful because network traffic moving around within VPCs often contains sensitive information. The likelihood of malicious VPC traffic mirroring is also very high because there are often large amounts of cleartext traffic flowing through a VPC. One reason for the common use of cleartext traffic is that before traffic mirroring, it was very unlikely that the traffic would be sniffed, so it wasnโ€™t very risky (think ok TLS termination for NLBs). Related script:

CVE-2019-8451 Unauthorized SSRF via REST API
As pointed out by Dino Dai Zovi: 'If you're running JIRA on AWS, consider this SSRF to be RCE'.

A repository that contains sample code vulnerable to Server-Side Request Forgery attacks. But, why in PHP?!

How to keep your Kubernetes secrets secure in Git
If you really really really want to store your secrets within your source code, this post describes techniques useful to use Git to keep your Kubernetes secrets secure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present, CloudSecList by Marco Lancini.