Seth Art

Introducing Pathfinding.cloud, a library of privilege escalation paths in AWS

securitylabs.datadoghq.com/articles/int...

by @sethsec.bsky.social

Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.

The July edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more

fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.

fwdcloudsec.org/conference/n...

@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com

The whoAMI name confusion attack, modern phishing tactics, and K8s network security fundamentals | Datadog Security Labs This February edition of the Datadog Security Digest dives into the

The February edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

featuring @sethsec.bsky.social, @mccune.org.uk, @karimscloud.bsky.social, @jcfarris.bsky.social, and more

The Datadog Security Digest is a monthly, practitioner-focused newsletter.

Don't miss our February edition going live tomorrow!

securitylabs.datadoghq.com/newsletters/...

whoAMI attacks give hackers code execution on Amazon EC2 instances Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.

whoAMI attacks give hackers code execution on Amazon EC2 instances

When I first started reading this I though,t “is this really news, this issue has been around for years…” but then it gets interesting - kudos to the researchers on this one!

whoAMI: A cloud image name confusion attack | Datadog Security Labs Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.

Need to hack thousands of AWS customers? What about on internal AWS systems? Datadog Security Research found that a number of tools, including one published by AWS, are susceptible to name confusion attacks, leading to RCE in vulnerable environments!

securitylabs.datadoghq.com/articles/who...

whoAMI: A cloud image name confusion attack | Datadog Security Labs Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.

I’m excited to share our research on the “whoAMI” attack. We discovered that AWS customers pulling AMI IDs insecurely could accidentally use malicious images instead of the legitimate ones— leading to remote code execution.

securitylabs.datadoghq.com/articles/who...

whoAMI: A cloud image name confusion attack | Datadog Security Labs Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.

We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.

securitylabs.datadoghq.com/articles/who...

by @sethsec.bsky.social

🧙 Why I’m Joining Wiz I’m joining the leading cloud security startup, hoping to “work for the Security Industry, at Wiz.”

New year, new job!

I've joined the amazing @wiz_io research team

My goal is the "work for the security industry, at Wiz"

I wrote a blog post explaining why, and what that means:
ramimac.me/joining-wiz

Datadog threat roundup: top insights for Q4 2024 | Datadog Security Labs Threat insights from Datadog Security Labs for Q4 2024.

Threat insights from Datadog Security Labs for Q4 2024

securitylabs.datadoghq.com/articles/202...

I'm not saying I'm an AWS expert… but I am saying I finally tracked down the random AWS account charging me small amounts every month and closed it.

weird interaction with a student this week. they kept coming up with weird "facts" ("greek is actually a combination of four other languages") that left me baffled. i said let's look this stuff up together, and they said ok, i'll open a search bar, and they opened... ch*tgpt

and i was like "this is not a search bar" and they were like "yes it is, you can search for anything in here" the thing that made me feel crazy is like. every kid that's using this as a browser is getting new BESPOKE false "facts." this isn't "a widespread misconception about X that stems from how it's taught in schools." each individual kid is now hooked into a Nonsense Machine with the "widespread misconception about X" you can start at a baseline. like, ok, in tenth grade we all talk about X thing from history, and that leaves us with some misguided concepts about X, but we can correct that as students get broader understandings of the world but with this, each child is getting UNIQUE wrong facts they are SURE are correct... because they did what we told them to do! they "looked it up"! they got it from somewhere! it's not a kid making up a belief on hearsay and assumption... it's something they think they LEARNED

this kid was extremely combative with me, and i understood why. i was sitting in front of him and telling him that the internet, a computer, technology, all these supposedly authoritative things... were wrong. and that i, one person, was right. he basically *couldn't* believe me. 8 135 3.8K 97K ... stillorangecrushed @stilloranged. 7h he decided that i was simply a teacher who'd made a mistake. he could check it, after all! he could look it up! he could find the REAL facts. i obviously hadn't done that, i was just an adult who'd decided i was smarter than him. hence the defensiveness. like i said: i understood 5 760 3.2K 82K stillorangecrushed @stilloranged. 7h ... it was so fucking rough. i did my best, but i am one person trying to work against a campaign of misinformation so vast that it fucking terrifies me. this kid is being set up for a life lived entirely inside the hall of mirrors

Well this is grim

Well now that I got this far down that thread I need to know also.

Plenty of additional information about the compromise of OpenWRT’s online build service, involving command-injection and hash bypass 🧠

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages | Datadog Security Labs Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages

securitylabs.datadoghq.com/articles/int... by @ikretz.bsky.social

New open-source tool designed to transparently block known malicious PyPI and npm packages.

github.com/DataDog/supp...

GitHub - DataDog/supply-chain-firewall: A tool for preventing the installation of malicious PyPI and npm packages :fire: A tool for preventing the installation of malicious PyPI and npm packages :fire: - DataDog/supply-chain-firewall

Another cool little tool from Datadog Labs. #cybersecurity


https://github.com/DataDog/supply-chain-firewall

We're now officially on Bluesky!

Expect:

➔ New articles on Security Labs about cloud, container and application security
➔ OSS projects for cloud security practioners
➔ Conference talks at community conferences

See also our starter pack bsky.app/starter-pack... with our authors and researchers!

Awseye - See Inside AWS Accounts Awseye tracks publicly accessible AWS data to help identify and secure known and exposed AWS resources. Empowering defenders with open-source intelligence.

The self described “Shodan of AWS” is now live! This is an amazing project from Daniel Grzelak that helps democratize cloud resource enumeration for the masses. Very excited about this!
awseye.com

Modern Red Teaming: macOS, K8s, and Cloud - RTV 24 (Public) Modern Red Teaming: macOS, K8s, and Cloud Carnal0wnage int0x80

DualCore and I spoke at the Red Team Village this year. Here are the slides. QR code with link to gist with all the reference links on last page. Unfortunately it wasn't recorded.

docs.google.com/presentation...

#redteam #purpleteam #redteamvillage

- Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview by Ian Kretz & Sebastián Obregoso
- Escalating from reader to contributor in Azure API Management by Christian August Holm Hansen
- IAM Condition operators explained by Cloud Copilot

and more...
🧵(3/3)

- Exploiting Fortune 500 through hidden supply chain links by Roni Carta
- Cloud guardrails by Mark Andersen, William Bengtson, Adam Cotenoff, ☁️ Houston Hopkins ☁️, Nicholas Siow, and Travis McPeak
🧵(2/3)

Google Cloud Trends, DPRK npm Threats, & Privilege Escalation Walkthroughs | Datadog Security Labs In the November edition, read about Google Cloud Trends, DPRK npm Threats, & Privilege Escalation Walkthroughs, and more.

The November edition of the Datadog Security Digest is live!
securitylabs.datadoghq.com/newsletters/...

Featuring:
- Exploring Google Cloud default service accounts: deep dive and real-world adoption trends by Christophe Tafani-Dereeper
🧵(1/3)

YouTube video by Datadog Kubernetes Security Fundamentals: Authentication - Part 2

Latest video in my Kubernetes Security Fundamentals series is out. Looking at some lesser known bits of Kubernetes authentication, bootstrap and static tokens!

youtu.be/1QNKj1rW5H0?...

Cloud Security Join the conversation

Now as a starter pack: go.bsky.app/5HpWAcM

We made it easy for you to find us!
The Red Siege Starter Pack is now up!
Find the team here - go.bsky.app/ERU72bD

#infosec #cybersecurity

That word is the worst!

This is such a good story about how "gotofail" started as a drunken brag in a bar and ended up being disclosed to Apple via a burner phone. It was Ryan all along, finally taking credit after all these years!

I created a list of Cloud Security folks on here. bsky.app/profile/scot...