Security Stack Sheet #113

 Word of the Week

“Cloud Security Threats for 2021”

IaaS PaaS SaaS - What Are They? Benefits, Risks and Comparison | RabIT Software Engineering

Persistency Attacks
Cloud architecture allows for full flexibility when it comes to creating new instances and running virtual machines that can match any hardware or software environment desired. But that flexibility, if not properly secured, lets bad actors launch attacks — and persist in doing so as they maintain control over the initial assault

Data Science Tool Attacks
Notebooks have proven to be indispensable for data scientists, enabling them to quickly integrate and analyze data. Tools such AWS Sage Maker make that process even more efficient, enabling data scientists to build, train, and deploy machine learning models. But because these are relatively new tools utilized by a cohort that may not be as security-conscious as it should be, bad actors may be able to take advantage of them. Tools such as Sage Maker are, like other Amazon products, very flexible, with many options

Bots Could Infect Cloud Legacy Assets
Bots are everywhere, including the cloud; a report by security firm GlobalDots shows that over 80% of “bad bots” — the ones that steal data, scrape content, distribute spam, run distributed denial-of-service attacks, etc. — operate from cloud-based data centers. While many bots export their poison to other sites — using the servers they ensconced themselves on to attack other servers and users — they can just as easily be used to enslave a cloud infrastructure to perform tasks for their owners. Among the more popular of those tasks is cryptomining — to the extent that it is one of the biggest cyberthreats around, according to studies

More Kubernetes Compromises Coming
The same outfit responsible for the AWS credential thefts mentioned above, called TeamTNT, has developed methods to abuse open source visualization and monitoring tool Weave Scope, taking advantage of a common misconfiguration issue. Using default open access granted via port 4040, the hackers install Weave Scope, using it as a backdoor to monitor systems, utilize resources, install applications, open, start, or stop shells in containers — basically anything they want

Preemptive Defense
Cloud attacks naturally grow as more companies open more cloud installations. With public cloud spending by companies expected to more than double by 2023 over 2019’s allocations, we can expect to see more of these — and other — kinds of attacks as hackers continually seek to seize on the “weakest links” they can find

Links HERE and HERE and HERE and Foundations of a Multi-Cloud Security Strategy HERE


Word of the Week Special


“I’m from Security and I’m here to help”

Image result for security help comic

I’ve had engineers tell me “safety/security is NOT my concern, I just design things”

I’ve had software folks tell me “all I do is code”

I’ve had DBA’s tell me “I just make sure the system works”

I’ve had exec’s tell me “it’s not my problem” OR “it’ll never happen to us”

Well folks, guess what, that shits stops now.

team of people built a plane

A team of people outfitted it with ALL sorts of gizmo’s to make it fly

A team of people designed things, built things, coded things and make blinky things work

A team of people signed off on it

government agency approved it

leadership team stood behind it

And a software flaw killed the very people who relied upon it.

Related to HERE and HERE and HERE On trust HERE On phishing HERE


“Secrets… are the root of cool” 




No alternative text description for this image


Text Description automatically generated


Graphical user interface, text, application Description automatically generated


Crypto challenge of the week

HV20.04 Br️celet

Santa was given a nice bracelet by one of his elves. Little does he know that the secret admirer has hidden a message in the pattern of the bracelet…


No internet is required – only the bracelet

The message is encoded in binary

Violet color is the delimiter

Colors have a fixed order

Missing colors matter



  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

Sanctions Explorer


  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit (properly) Finalised?

A picture containing text Description automatically generated

  • 1st of July 20201 – Freedom from viruses?

COVID-19 themed attacks launched from October 1 to December 5, 2020


Phishing Campaign Targets COVID Cold Chain

An IBM Security X-Force threat intelligence task force “recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain.” British regulators have approved Pfizer’s vaccine; US regulators are scheduled to evaluate Pfizer’s and Moderna’s vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks.
As vaccines are approved and distribution begins, expect increased occurrence of attempts to redirect or otherwise disrupt the supply chain, particularly as the viability depends on proper refrigeration. Distributors need to be prepared for aggressive social engineering, including impersonation of officials, intended to redirect supplies


  • November 3rd 2020: Trump’s second term start

Misusing OSINT to claim election fraud

Image for post


  • 20226 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

Book of the month


Remember: AppSec ABCs


Remember: Cahier de vacances pour la securite numberique


Comic of the week

Wally Answers Texts Later - Dilbert by Scott Adams


Thought Leader - Dilbert by Scott Adams

##Some OWASP stuff first

–Web Security Testing Guide (WSTG) v4.2

In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests


–$10000 Facebook SSRF (Bug Bounty)

Subdomains Enumeration + File Bruteforcing + Code Review = $10K Blind SSRF

The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network

Image for post


–Announcing the Snyk and Docker Security Guide for Developers

Snyk and Docker have partnered to bring developer-centric security, powered by Snyk, to the world’s most popular container developer tools, Docker Desktop and Docker Hub


–Serving the right recipe for API authentication

Compared to a decade ago, the meaning of authentication has changed significantly. Modern applications not only authenticate users but also rely on authentication for API access and inter-service communication. Authentication mechanisms still include passwords, but also rely on API keys, signed JWT tokens, and cryptographic authenticators. With so many options to choose from, making the right choice becomes a difficult challenge.
In this session, we explore several authentication recipes for different scenarios. We will discuss authentication in API-based applications, microservice architectures, and, of course, modern user authentication scenarios. At the end of this session, you will be able to choose the right authentication mechanism for your application according to current best practices


–The 2020 State of the Octoverse – Securing the World’s Software

Text, table Description automatically generated

Links HERE and HERE




OPEN Security Mini Summit

Graphical user interface, text, application Description automatically generated


OWASP Israel December 2020

  • Enforcing Code & Security Standards with Semgrep
    Clint Gilber – Head of Security Research @ R2C
  • Kubernetes and Nginx – Crunchy Exterior, Soft Interior
    Kfir Tal – CyberOps Consultant @ Cilynx
  • A one-step way to protect against XXE
    Anat Mazar – Senior Developer and Security Champion @ Tufin
    Michael Furman – Lead Security Architect @ Tufin


Re:Invent 2020

AWS Re:Invent


Cloud Native Security Day North America 2020




Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Ransomware disrupts Maryland students

It’s been widely reported that more than 115,000 students in the US saw their online classes disrupted following a ransomware attack.

The incident, which happened just before Thanksgiving, forced schools in Maryland to remain closed into this week. The Baltimore school district has described it as a “catastrophic attack on our technology system”

Phishing attacks focus on online shoppers

Cyber criminals are upping their efforts to catch out online shoppers with phishing scams disguised as delivery emails.

Researchers at Check Point have reported that there has been a 440% rise in shipping-related phishing emails in the last month, with Europe seeing the biggest increase

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security



Incidents & events detail

Privilege Escalation in AKS Clusters

Default AKS cluster stores admin credentials in Kubernetes ConfigMap


Aerospace Company Embraer Discloses Cyberattack

Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil’s Securities and Exchange Commission


TrickBot’s Up to New Tricks

A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature “makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device,” according to researchers at Eclypsium and AdvantIntel


DarkIRC bot exploits recent Oracle WebLogic vulnerability


Britain puts a new offensive cyber force at the heart of its defence

The National Cyber Force of soldiers and spies has been quietly hacking away, but it must tread carefully


iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices

A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5.
The flaws were addressed in Apple’s May updates for iOS, iPadOS, and watchOS, which included unexpected updates for older devices. Make sure they were applied, replace devices which cannot run the current OS releases. Ian Beer describes the flaw and research in a 30,000 word Project Zero article ( An iOS zero-click radio proximity exploit odyssey) which is worth reading. His key takeaway is not to conclude nobody would spend six months to hack your phone, but rather that one person, working alone, in isolation, was able to build a capability to seriously compromise devices in close proximity. His recommendations, while iOS focused, should be considered for any system where legacy code and compromises, often driven by time to market, exist


Research of the week

Evilginx-ing into the cloud: How we detected a red team attack in AWS

It’s no secret that we’re fans of red team exercises here at Expel. What we love even more, though, is when we get to detect a red team attack in AWS Cloud.

Get ready to nerd out with us as we walk you through a really interesting red team exercise we recently spotted in a customer’s AWS cloud environment


Authentication between microservices using Kubernetes identities

Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads


Whac-A-Mole: Six Years of DNS Spoofing

DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see


Exploiting dynamic rendering engines to take control of web apps

  • Dynamic rendering is a technique used to serve prerendered web site pages to crawlers (e.g., Google search engine, Slack or Twitter bots, etc.)
  • The most popular open source applications for dynamic rendering are Rendertron and Prerender; both of which may introduce vulnerabilities to a network if used improperly.
  • I used a vulnerability in Rendertron to take over a production web application and earn $5,000 through a bug bounty program


Top 5 AI Achievements of 2020

AI has made significant progress in 2020, world has celebrated many AL/ML accomplishments in NLP, Computer Vision and Robotics

1. GPT-3 – The Biggest Achievement of NLP: The Language of AI

2. AI-Enabled Healthcare and Drug Discovery

3. Graphics, Animation, Image, and Video Processing

4. Motion and Gestures

5. Processing Power: NVIDIA AI Accomplishment

The good news related to AI are as follows:

Outstanding AI applications related to healthcare in hospitals

AI tools helping special people

Robots helping in Agriculture

Smart devices guiding people in solving daily queries

High evolution, adaption, and AI-based research

Some of the popular bad news is as given below:

AI involved in fake news generation

Creating porn fakes from media available on social platforms

Autonomous vehicle killing a pedestrian

Data biases causing issues in AI applications

AI system attacking production facility



Tool of the week

Link HERE – thanks to A

Announcing the Atheris Python Fuzzer

Fuzz testing is a well-known technique for uncovering programming errors. Many of these detectable errors have serious security implications. Google has found thousands of security vulnerabilities and other bugs using this technique. Fuzzing is traditionally used on native languages such as C or C++, but last year, we built a new Python fuzzing engine. Today, we’re releasing the Atheris fuzzing engine as open source



Exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring without writing code


Kubernetes Audits Introduction

Monitoring the security aspects of a system as complex as Kubernetes can get frustrating. Especially when you want simple answers to simple questions (e.g., what happened? when did it happen?). That is exactly where Kubernetes audits come into place


Untrusted Types

Untrusted Types is a Chrome extension that abuses Trusted Types to log DOMXSS sinks. Requires Chrome v85+


S3 Objects Check

Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.

Allows identifying publicly accessible objects, as well as objects accessible for AuthenticatedUsers (by using a secondary profile). A number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess. The tool runs fast as it uses asyncio and aiobotocore


Utku Sen’s

                                   ( Oo)                    \|/
                                   (_=-)  .===O-  ~~U~R~L~~ -O-
                                   /   \_/U'        hunter  /|\
                                   ||  |_/
                                   \\  |
                                   {K ||


urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as and The project is written in Go


IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance


Remember: Connaisseur

An admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed


GoogleCloud: Monitor and secure your containers with new Container Threat Detection


Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive


Other interesting articles 

##DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology

AlphaFold can predict the shape of proteins to within the width of an atom. The breakthrough will help scientists design drugs and understand disease



##How Eth2.0 mitigates specific PoS (Proof of Stake) attacks

In December 2020, ETH2.0 Beacon Chain launched. This Phase 0 launched forms part of a multi-year process that will see ETH1.x transform from a PoW (Proof of Work) to a PoS (Proof of Stake) blockchain.

This is an exciting period in Ethland and is the product of years of research of optimal solutions to ensure Ethereum remains secure and decentralized despite a change of consensus mechanism. its been a long held belief that PoW has the most security guarantees unlike, say, PoS

Link HERE – thanks to TK





##Introducing Amazon Curate (I Wish)

There are thousands or even millions of creators putting out great content that nobody is seeing.

Amazon Curate is a new product that combines content discovery with content personalization



##Why Is Apple’s M1 Chip So Fast?

Real-world experience with the new M1 Macs has started ticking in. They are fast. Real fast. But why? What is the magic?



##And finally, a practical guide to working remotely with all 16 personality types

Experts weigh in on how classic Myers-Briggs personality traits translate to remote work and can be the key to successful collaboration



Welcome to the new Middle Ages

Rising inequality, lower mobility, contempt for the poor and widespread celibacy — we’re returning to the past.

Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England. There has been a vast increase in American inequality since the mid-20th century, and Europe — though some way behind — is on a similar course.

These are among the alarming stats cited by Joel Kotkin’s The Coming of Neo-Feudalism, published earlier this year just as lockdown sped up some of the trends he chronicled: increased tech dominance, rising inequality between rich and poor, not just in wealth but in health, and record levels of loneliness (4,000 Japanese people die alone each week, he cheerfully informs us)



AppSec Ezine

Must see

URL:  (+)

Description: Host `docker` binary overwrite from Kata VM.


Description: An iOS zero-click radio proximity exploit odyssey

Links HERE and HERE and credits to HERE



Leave a Reply

Your email address will not be published.