🧘🔮 Woo-bud

This week I’ve been going full woo woos in Ubud 🙏 Some memories:

Making friends at The Yoga Barn, including a former tech worker turned yoga teacher and a Russian scientist/therapist/healer who wants to build a University of Happiness.

Sponsor

📣 [Webinar] Learn How to Quarantine Zombies Lurking in Your Cloud 🧟

Is the risk of deleting unused identities preventing you from taking action? Learn how to quarantine them and eliminate the risk without disruption.

Webinar: Defeating Cloud Zombies: Identifying and Eliminating Hidden Threats
Date: January 28th, 2025
Time: 10:00 AM CT

Why attend?

• Uncover Hidden Dangers: Learn about the risks posed by dormant users or roles in your cloud environment.

• Insights: Tap into our in-depth research to understand the most common unused identities lurking in the cloud.

• Scalable Solutions: Save time by automating the quarantine of unused identities without impacting workflows.

👉 Register for FREE Webinar 👈

AppSec

Product Security Bad Practices
CISA and the FBI provide guidance on 13 key product security bad practices that software manufacturers should avoid, covering product properties (e.g. using memory-unsafe languages, SQL or command injection, default passwords), security features (e.g. lack of MFA support), and organizational processes (e.g. not issuing CVEs). The post provides recommended actions and resources for each bad practice.

Backdooring Your Backdoors – Another $20 Domain, More Governments
Many web shells (post exploitation tooling for attackers to retain access to a system) include backdoors that give the web shell author access to the systems compromised by those backdoors (a backdoor in the backdoor).

watchTowr’s Benjamin Harris and Aliz Hammond describe how they hijacked these backdoors in web shells by registering expired domains used by the backdoor’s callbacks, gaining potential access to over 4000 compromised systems including government and university targets. Great impact, dank memes 👌 

Millions of Accounts Vulnerable due to Google’s OAuth Flaw
Truffle Security’s Dylan Ayrey describes how an attacker could purchase a failed startup’s domain and use it to re-create email accounts for former employees, and then use that access to log into all the different SaaS products the org used, like Slack, Notion, HR systems (tax documents, pay stubs, insurance information, social security numbers), etc.

The issue is that ownership changes to the domain are not visible to the SaaS apps (e.g. Slack). Google initially closed Dylan’s report “Won’t Fix,” then re-opened it and paid a $1337 bounty after Dylan’s Shmoocon talk was accepted.

💡 Pro-tip: If a company says something is “not a security issue” or it’s labeled as “Won’t Fix,” then surely they won’t mind you writing a blog post or giving a conference talk about it 😈

Sponsor

📣 The Human Touch In Creating and Securing Non-Human Identities

A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). These NHIs are created and managed by human actions to enable automated processes, system-to-system communication, and cloud services.

However, the rapid proliferation of NHIs presents new challenges to traditional identity security approaches. This eBook explores:

• How NHIs are created.

• The role of human decisions in shaping NHI security postures.

• The hidden risks posed by neglected NHIs in cloud-native environments.

• How human and non-human identities are intertwined.

• Strategies to unify your identity security without compromising agility.

  👉 Read the eBook 👈

I’ve been hearing more about non-human identities recently, I need to read more about it 👀 

Cloud Security

How to bypass honeypots in AWS
Tejas Zarekar describes how to detect and avoid honeypots set up for AWS access key IDs: using prior research by Tal Be’ery, an attacker can deduce the account ID from the access key ID. If that deduced account ID retrieved through the compromised EC2 instance does not match the account ID of the victim, then it’s probably spoofed and would trigger the honey pot alert.

The many ways to obtain credentials in AWS
Wiz’s Scott Piper provides a comprehensive overview of the various methods AWS services use to obtain IAM role credentials, beyond the well-known Instance Metadata Service (IMDS), covering SDK credential providers, container services, EKS Pod Identities, IRSA, (takes deep breath) Default Host Management Configuration, Systems Manager hybrid activation, IoT, IAM Roles Anywhere, Cognito, and Datasync.

Securing Your Cloud Data: Unencrypted Resources in AWS
Fog Security’s Jason Kao found 15 AWS services still support unencrypted resources, including RDS, EFS, Redshift, and ElastiCache, and provides recommendations, such as enforcing encryption using Resource Control Policies.

Preventing unintended encryption of Amazon S3 objects
There have been a number of posts from cloud security researchers on using KMS and a key switcheroo (that’s the technical term) to effectively ransomware S3 buckets. See work by Spencer Gietzen, Harsh Varagiya, Halcyon, Chris Farris, and Kat Traxler (H/T Daniel Grzelak’s great round-up).

In this post, AWS CIRT recommends four security best practices to protect against this attack, and apparently AWS’ active defense tools already include automatic mitigations that help prevent this type of attack in many cases without customer action.

Security at scale: Plaid’s journey to creating a key management system
Shuaiwei Cui and Anirudh Veeraragavan describe the design and implementation of Plaid’s internal Key Management System (KMS), which was built to address scalability, cost efficiency, and self-service needs. The system uses AWS KMS as a root of trust and leverages envelope encryption, with gRPC for communication and an SQL database for long-term key storage. Great example of security engineering and building a secure-by-default Paved Road.

Container Security

semgr8ns/semgr8s
By Christoph Hamsen and Philipp Belitz: A Kubernetes admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.

💡 In addition to like 10+ programming languages, Semgrep can analyze JSON, YAML, Terraform, plaintext (generic mode) … so you can use the same tool to analyze All The Things™️.

antitree/seccomp-diff
By Mark Manning: A tool to analyze binaries and containers to extract and disassemble seccomp-bpf profiles. It’s designed to help you determine whether or not a given seccomp-bpf profile is more or less constrained than others as well as give you the ground truth for the filters applied to a process.

💡 Mark is the man(ning). Definitely check out his work for great containers and Kubernetes security research, like his very thorough Risk8s Business: Risk Analysis of Kubernetes clusters guide.

Adrift in the Cloud: A Forensic Dive into Container Drift
Alex John discusses container drift from a forensics perspective, with a focus on OverlayFS (drift being changes to the container’s filesystem, differences from its known original state). Alex describes how to find the writeable layer of a container filesystem, and a new drift detection feature he added to Google’s Container Explorer tool, that makes it easy to quickly identify added, deleted, and changed files in a container’s filesystem, supporting Docker and containerd.

Supply Chain

Capturing the Flags of the Internet: Find 0-days in OSS and write scanners to detect them
Annie Mao and Hlynur Óskar Guðmundsson announce the launch of Google’s new patch reward program: InternetCTF. Earn up to $10,000 for finding novel RCE vulnerabilities in securely configured open source software and providing Tsunami (Google’s OSS vulnerability scanner) plugin patches to detect them. See also this post for updates to Google’s Patch Rewards Program, including a new focus on memory safety with reward multipliers, increased reward amounts, and more.

💡 This is awesome- incentivizing people to find critical vulns in OSS and provide a way to detect it at scale. Google does a lot for improving software security (OSS-Fuzz osv.dev, Project Zero, …), it would be nice to see more investment from other $T companies.

OSV-SCALIBR: A library for Software Composition Analysis
Google’s Erik Varga and Rex Pan announce OSV-SCALIBR, an extensible Go library for Software Composition Analysis (SCA) and file system scanning. Features:

• SCA for installed packages, standalone binaries, and source code

• OS package scanning on Linux (COS, Debian, Ubuntu, RHEL, …), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• SBOM generation in SPDX and CycloneDX

• Optimized for on-host scanning of resource constrained environments where performance and low resource consumption is critical

Cacheract: The Monster in your Build Cache
“What if there was malware that lived entirely within ephemeral build caches? Shifting between pipeline space and caches to maintain itself, indefinitely?” Adnan Khan asks and answers the questions that keep me up at night.

Adnan announces the release of Cacheract, an open-source tool for automated GitHub Actions cache poisoning that persists within ephemeral build caches. It extracts secrets, predicts and poisons cache entries, and can overwrite files to maintain persistence across builds. Excellently detailed write-up 🤘 

Red Team

adelapazborrero/slack_jack
By Abel de la Paz: A tool that allows you to hijack a Slack bot using its token (e.g., xoxb or xoxp) and perform various enumeration and exploitation activities. By impersonating a trusted bot, Slack Jack makes social engineering attacks easier, like convincing a user to interact with a malicious link or payload, or combine it with Evilnginx to capture credentials.

cxnturi0n/convoC2
By Fabio Cinicolo: Command and Control infrastructure that allows Red Teamers to execute system commands on compromised hosts through Microsoft Teams. It infiltrates data into hidden span tags in Microsoft Teams messages and exfiltrates command outputs in Adaptive Cards image URLs, triggering out-of-bound requests to a C2 server.

Mastering Modern Red Teaming Infrastructure — Part 2: Building Stealthy C2 Infrastructure with Sliver and Re-director
Faris Faisall describes how he created a layered C2 setup using Sliver and NGINX Proxy Manager, with an extra layer of protection and anonymity provided by Cloudflare. He obfuscated and hardened Sliver’s network traffic to bypass NDR, IDS/IPS, and other network monitoring tools, and developed a custom C++ dropper that downloads and executes payloads directly in heap memory through the proxy chain.

AI + Security

AndreySokolov247/XSS-AGENT
A proof of concept of an AI-based autonomous post-exploitation system that, after receiving initial access, does all the steps an attacker would want, like: internal reconnaissance, privilege escalation, lateral movement, data exfiltration, and analysis of exfiltrated data using AI.

dreadnode/dyana
By Simone Margaritelli and Ads Dawson: An eBFP sandbox environment designed to load, run, and profile a wide range of files and provide dynamic testing for AI models. It supports a variety of files including, machine learning models, ELF executables, Pickle serialized files, Javascript and more, and provides detailed insights into GPU memory usage, filesystem interactions, network requests, and security related events.

Nepenthes
A tarpit for web crawlers, specifically targeting crawlers that scrape data for LLMs. The tool generates endless sequences of deterministic but randomly-generated pages with dozens of internal links, intentional delays to slow crawlers, and optional Markov-babble can be added to the pages, to give the crawlers something to scrape up and train their LLMs on, hopefully accelerating model collapse.

💡 I love the chaotic energy vibe of this project 😂 

Misc

• How Barcelona became an unlikely hub for spyware startups – Good tax situation, cheap cost of living, beaches, and less restrictive export licenses than Israel.

• I hate how well asking myself “If I had 10x the agency I have what would I do?” works

• What if you tried hard? – “What would happen if you gave it all you had and even risked embarrassing yourself if it didn’t work out? What greatness could you attain if you just tried harder than anyone else?”

• Nicolas Cole – You think I like working this hard?

• TikTok, AliExpress, SHEIN & Co surrender Europeans’ data to authoritarian China

• Tetris in a PDF using JavaScript APIs. Also, DOOM in a PDF 😂 

• Modern Wisdom – A Man’s Guide To Feeling Your Feelings – Connor Beaton

• A ripped dude alternatingly talking about his current workout and what he learned from his breakups. Working out + life advice is a nice format 😂 

“Grief is praise, because it is the natural way love honors what it misses.” ― Martin Prechtel, The Smell of Rain on Dust: Grief and Praise 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler