This week's articles
PodSecurityPolicy Deprecation: Past, Present, and Future
#k8s, #announcement
PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be released later this week. PodSecurityPolicy will continue to be fully functional for several more releases before being removed completely. In the meantime, a replacement that covers key use cases more easily and sustainably is being developed.
Project Zero: Who Contains the Containers?
#docker, #attack
Post about a research project James Forshaw (Google's Project Zero) conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, he describes what led to this research, his research process, and insights into what to look for if you're researching this area.
How to Harden Your Cloud Against SMTP Abuse
#aws, #attack
AWS accounts that are outside of the SES sandbox are valuable to criminals that are looking to perform mass spam campaigns or large-scale phishing attacks. When purchased, they will attempt to launch their campaign as soon as possible and get as much out there as they can, before Amazon catches on and bans the AWS account for malicious activity with SES.
Cloud lateral movement: Breaking in through a vulnerable container
#aws, #attack
What often happens in famous attacks to Cloud environments is a vulnerable application that is publicly available and can serve as an entry point. From there, attackers can try to move inside the cloud environment, trying to exfiltrate sensitive data or use the account for their own purpose, like crypto mining.
The worst so-called best practice for Docker
#docker, #build
In a whole bunch of places you will be told not to install security updates when building your Docker image. Please, run dnf/apk/apt-get upgrade in your Dockerfile, you really do want to install security updates in your Docker image. And after that, make sure Docker caching doesn't break your updating.
Man in the Terminal
#aws, #attack
Leveraging environment $PATH variables to keylog, hijack SSH sessions, and more. Useful for post-ex activities on shared *nix jumpboxes or developer workstations. This can be particularly useful in AWS environments where you have access as the ec2-user.
From "War Games" to Network Policies
#kubernetes, #defend
Post considering why traditional network security approaches aren't sufficient in the cloud native world, and see what advantages we can gain through network policies.
Kubernetes Pentest Methodology
#kubernetes, #attack
Series describing a Kubernetes penetration test methodology, which covers the security risks that can be created by misconfiguring Kubernetes RBAC and demonstrates the attack vectors of a remote attacker.
Running Atlantis at Lyft
#ci/cd, #build
Atlantis is an Open Source Terraform Automation platform designed to be run as part of a version control provider's pull request (PR) workflow. It provides workflow customization on a per-team basis, centralized permissions and binaries, audit logs and guardrails such as PR approvals and mergeability.
|
|
Tools
kubesploit
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
action-conftest
A GitHub Action for easily using conftest in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request.
cosigned
A Kubernetes admission controller to verify images have been signed by cosign.
kubernetes-simulator
A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a Kubernetes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.
PMapper v1.1.0 Update
PMapper v1.1.0 has been released, now having support for all policy types (IAM, SCP, Session, Boundary, and Resource for a bunch of resource types).
|
|
From the cloud providers
Announcing Azure AD Verifiable Credentials
Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed using cryptographic keys associated with the DID that the user owns and controls.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|