This week's articles
Container Runtime Security Bypasses on Falco
A blog post describing some of the nuances of auditing Falco during security assessments, and demonstrating how to think through some bypasses. The post goes through common approaches taken while auditing runtime security tools, and, as bonus points, even provide a couple of bypasses (for terminal alert, sensitive volume alert, and privileged container alert).
Azure Sentinel is now GA
Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available. It is also interesting to read design considerations related to Sentinel.
Container Image Squatting in a Multi-Registry World
Another interesting piece of research by @raesene, this time on attackers squatting on common Docker Hub accounts to try and trick users into pulling malicious images. A process made somewhat easier by the fact that you can register organization names on Quay.io. Some mitigations are provided if you’re planning to adopt podman.
Abusing VPC Traffic Mirroring in AWS
PoC script by @rhinosecurity that uses AWS VPC Traffic Mirroring to mirror and exfiltrate network traffic in AWS VPCs. Malicious VPC traffic mirroring can be extremely impactful because network traffic moving around within VPCs often contains sensitive information. The likelihood of malicious VPC traffic mirroring is also very high because there are often large amounts of cleartext traffic flowing through a VPC. One reason for the common use of cleartext traffic is that before traffic mirroring, it was very unlikely that the traffic would be sniffed, so it wasn’t very risky (think ok TLS termination for NLBs). Related script: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror/.
A repository that contains sample code vulnerable to Server-Side Request Forgery attacks. But, why in PHP?!