In 2021, I wrote about how offensive actors can leverage AWS SSO device code for phishing, rendering modern security controls like FIDO authentication or identity provider device posture ineffective: Phishing for AWS credentials via AWS SSO device code authentication. In this post, we’ll take a closer look at the newly-released PKCE support for AWS SSO authentication flows. A Short History of Device Code Phishing As highlighted in the original article, Device Code phishing isn’t new or sp...| Christophe Tafani-Dereeper
Kubernetes' 'allowPrivilegeEscalation' is a useful but poorly understood security hardening setting. Let's dive into how it works and debunk some common myths about it.| Christophe Tafani-Dereeper
On March 25, AWS released a new feature that helps enforcing IMDSv2 at the region level by default for newly-launched instances.| Christophe Tafani-Dereeper
In this post, we take a look at an anti-forensics technique that malware can leverage to hide injected DLLs. We dive into specific details of the Windows Process Environment Block (PEB) and how to abuse it to hide a malicious loaded DLL. Background: You may be wondering why you’re reading a post about Windows internals if I’m much more focused on cloud security these days. I initially wrote this blog post exactly 3 years ago, in April 2020. I got stuck at explaining why Process Hacker wou...| Christophe Tafani-Dereeper
Today’s post is unlike any I ever wrote: a tribute to a dear friend, who, a few months ago, brutally passed away from a heart attack at the age of 28. More than a close friend I’ve known for 10 years, Hadrien was a brilliant engineer, a software craftsman, a maker, and a hacker whom I highly regarded and learned so much from over the years. Anyone who met him can testify he was passionate about every single thing he did. This post is a tribute to him. Story Let me start by telling the sto...| Christophe Tafani-Dereeper
Releasing a new open-source project: Stratus Red Team, an adversary emulation tool to emulate common attack techniques in cloud environments.| Christophe Tafani-Dereeper
I’m a huge fan of disposable security labs, both for offensive and defensive purposes (see: Automating the provisioning of Active Directory labs in Azure). After writing Cloud Security Breaches and Vulnerabilities: 2021 in Review, I wanted to build a “purposely vulnerable AWS lab” with a typical attack path including static, long-lived credentials and with a supply-chain security element. CloudGoat: Vulnerable AWS Environments CloudGoat is an open-source project containing a library of ...| Christophe Tafani-Dereeper
In this post, we look back on the 2021 cloud security data breaches and vulnerabilities in AWS, and showcase best practices to avoid them.| Christophe Tafani-Dereeper
AWS SSO is vulnerable by design to device code authentication phishing, providing a powerful phishing vector for attackers.| Christophe Tafani-Dereeper
Identify cloud security issues and misconfigurations even before they pose an actual security risk by performing static analysis of Terraform code.| Christophe Tafani-Dereeper
In this post, we discuss the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, we demonstrate that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked. Introduction For the purposes of this post, we’ll use an EKS cluster running Kubernetes v1.17.9 and created with eksctl. We could also have created the cluster using Ter...| Christophe Tafani-Dereeper
