Seth Art

📣 Issue 84 is out. Highlights: - Amazon Inspector enhances the security engine for container images scanning. - AWS CloudTrail network activity events for VPC endpoints now generally available. - whoAMI: A cloud image name confusion attack by Seth Art. - Uncovering a Hidden CloudTrail Bug by Tracing AWS AssumeRole Chains in a Graph Database by Or Aspir. - Tool: Cloud Trail Discover cheat sheet. aws-cloudsec.com/p/issue-84

@BleepinComputer @billtoulas Thanks @BleepinComputer and @billtoulas!!!

whoAMI attacks give hackers code execution on Amazon EC2 instances - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

whoAMI research by DataDog. I immediately thought about all the user-data scripts that me be attached to those launched EC2 instance images 🥶 Kudos to @sethsec for the discovery, research, and tool! #aws #cloudsecurity securitylabs.datadoghq.com/articles/whoam…

The prior name confusion issue: ramimac.me/poisoning-ssm-…

@ramimacisabird Thanks so much @ramimacisabird! Your SSM Command Document research is a must read for sure.

Excellent research here from @sethsec and crew - including responsible disclosure, AWS hardening enhancement, detection guidance, etc. 🤔 I did report a name confusion in SSM Documents impacting Datadog right before this was found... 😜

The post also includes many ways you can check to see if you are vulnerable!

My Datadog Security Labs research is finally live! The whoAMI research highlights how a malicious actor could gain remote code execution in thousands of AWS accounts that are vulnerable to this attack. securitylabs.datadoghq.com/articles/whoam…

@_xDeJesus Thanks for sharing @_xDeJesus. Spot on about the user-data. And just think about all of the attached IAM roles and permissions as well!

What. The.

Fun with Google Cloud's default service accounts (and how to leverage them for offensive purposes) securitylabs.datadoghq.com/articles/googl…

@0xLupin @mattjay @HashiCorp Nice post!

🔗In this article we talk about how I exploited a Fortune 500 Through Hidden Supply Chain Links Link 👇 landh.tech/blog/20241028-… Thanks to the entire @HashiCorp team ! 🤟 Enjoy 🔥

☁️ State of Cloud Security 2024 update of @Datadog’s report analyzing security posture data from a sample of thousands of orgs across AWS, Azure, and Google Cloud • Long-lived credentials continue to be a major risk. • Adoption of public access blocks in cloud storage services is rapidly increasing, • <1/2 of EC2 instances enforce IMDSv2, but adoption is growing • Securing managed Kubernetes clusters requires non-default, cloud-specific tuning • Insecure IAM roles for third-party integrations leave AWS accounts at risk of exposure • Most cloud incidents are caused by compromised cloud credentials datadoghq.com/state-of-cloud…

Mine & @sabi_elezi's #MaLDAPtive presentation from @defcon is now posted on YouTube! LDAP obfuscation, deobfuscation & detection - all built on our 100% custom LDAP parser. Recording: youtube.com/watch?v=mKRS5I… Tool: github.com/MaLDAPtive/Inv… @permisosecurity #LDAP #ClippyGotJokes

Excited to share some research I've been working on for the past few months, based on real-world data from thousands of environments using AWS, Azure and Google Cloud! datadoghq.com/state-of-cloud…

Registration for the 2024 CNY Hackathon is now open! …thon-2024-registration.eventbrite.com

How it feels to be on the other side… #Bluesky

I had such a great time speaking about Cloud Security at @BsidesORL! I saw some great talks, made some new friends, and got to hang with old ones. A huge thank you to all of the volunteers that made this epic event possible!