Jason Allen的动态

Our DEF CON 32 talk, "Breaching AWS Through Shadow Resources" is now live on YouTube! In this session, we present six critical vulnerabilities we uncovered in AWS services, sharing the stories and methodologies behind each one. Stay tuned for a new discovery we're revealing next week during SecTor!

-5- Breaching AWS Accounts Through Shadow Resources The trio, Yakir Kadkoda, Ofek Itach and Michael Katchinskiy, reveal a unique technique that has uncovered vulnerabilities in six (!) different AWS services. A bit of background: S3, one of the oldest AWS services, is a bit different — the names of buckets (the main type of resource) are globally unique, meaning that if someone has claimed the bucket 'test', nobody else can pick the same name, even under a different AWS account. This allows for a bucket-name-squatting issue — predicting the name of a yet-to-be-used bucket, creating it, and making users accidentally pull files from this attacker-controlled bucket. In this talk, the trio uncovers a crazy extension of this attack: predicting the names of (semi-)automatically created buckets. AWS Services utilize S3 by creating buckets to be used behind the scenes. They normally create those buckets, but how do they behave if it exists? Turns out they mostly continue as usual, pushing the files into the bucket anyway and pulling them out at a later time. If an attacker can predict the names of these buckets, they can create them in advance, and on usage — replace the file before it's pulled back out. In case this file is used to create AWS resources, like in their first example of CloudFormation — this leads to arbitrary access to the victim's AWS account. The only remaining hurdle is the bucket names: can they actually be predicted in advance? (6/9) The group discovered that Glue, EMR, SageMaker, and CodeStar AWS services use the AWS account ID as a source of "randomness" for the bucket name. Unfortunately, AWS account IDs are not considered secrets (hot take, I know), so as long as you know your victim's account ID, you could attack them on use of any of these services. Other services, like CloudFormation, use a random hash making it harder for attackers. However, they are fixed per account. The researcher's show that ARNs of these buckets can be easy found in public repos A very cool technique that I'm sure we'll see again in the future! #DEFCON #AWS #S3 #vulnerability https://lnkd.in/djhQzA8n

Ever struggle to understand how a firewall works without spending money or brain cells to figure out how Palo Alto works? AWS nacl to the rescue. In this post, I share how to understand how to setup nacl and what it means when rules rule.

Don't miss our next webinar with Daniel H., which will showcase how Apeman can quickly identify Attack Paths by solving AWS CTF challenges. Each challenge will highlight a common misconfiguration & how Apeman can help identify them. Register today: https://ghst.ly/4dCog48

This video from fwd:CloudSec is a really good example of CloudTrail log spelunking in a compromised AWS environment https://lnkd.in/gCN-gbYg I didn't know about the IAM policy simulator enumeration technique either! ??

Getting ready for my and Benjamin Perak’s reinvent talk by showcasing the power of Hooks and ECR. You can use Hooks to block the deployment of container images with critical vulnerabilities to CloudFormation. Pretty rad to just make your org safer with a few lines of code. See ya’ll next week! #reinvent #aws

Amazon has unveiled Mithra, a cutting-edge internal system used to detect malicious website domains at massive scale. This powerful tool identifies an incredible 182,000 malicious domains per day on average! Mithra plays a crucial role in protecting AWS customers from malicious web traffic and cyberattacks. It leverages data from AWS' global cloud platform that processes up to 200 trillion DNS requests daily, as well as insights from honeypot sensors that attract and study malware. The system organizes threat intelligence into a massive graph data structure with 3.5 billion nodes and 48 billion edges, linking malicious domains to hacking groups. This allows AWS to proactively block attacks targeting its customers. #amazon #aws #security #innovation

Learn how Apeman quickly identifies Attack Paths! Daniel H. recently demonstrated this through solving AWS CTF challenges. Each challenge highlights a common misconfiguration & how Apeman can help identify them. Watch the webinar on demand: https://ghst.ly/4dCog48

If you're interested in AWS pentesting or engineering, you NEED to know how to use the AWS CLI. In this video, I work through a completely FREE lab by Cybr on getting started with the AWS CLI (https://cybr.com). We cover: - How to install the CLI - How to configure Access Keys - How to find profiles on your local machine - How to issues CLI commands - How to use roles with the CLI - How to navigate AWS Documentation Enjoy! https://lnkd.in/gYJtgb6R (Special thank you to Christophe Limpalair for the incredible Cybr platform!)

If you're interested in AWS pentesting or engineering, you NEED to know how to use the AWS CLI. In this video, I work through a completely FREE lab by Cybr on getting started with the AWS CLI Thanks Tyler Ramsbey