Come meet our Threat Research Team at DEFCON 27! We’ll be on stage at the DEFCON Cloud Village, taking place August 9 through August 11, at the Flamingo Hotel in Las Vegas!
The research team will be talking about various threats related to Software as a Service (SaaS) and Infrastructure as a Service (IaaS) platforms. We’ll have 4 talks featured there, some of which will include exploitation demos. You can see the schedule at https://cloud-village.org.
Exploiting IAM in the Google Cloud Platform
Speaker - Colin Estep
Identity and Access Management (IAM) in any public cloud provider can be tricky to configure appropriately. We've all seen the headlines about storage buckets being open to the public and exposing sensitive information, but what about the permissions we are giving our users and apps that run in our cloud environment? It's becoming more difficult to understand who has permissions over resources and what the implications of those permissions are as more controls proliferate across the public cloud providers.
In this talk, we will take a closer look at the Google Cloud Platform (GCP) IAM model. You'll be introduced to the relevant concepts to understand the different types of identities, IAM permissions, and scopes. We'll examine the permissions and scopes assigned to the compute engine service account created for you by default. Did you know that the default IAM policy for the compute engine service account includes the ability to impersonate other service accounts, among other things?
Most importantly, we'll learn how to leverage certain configurations of the service account to escalate privileges from a virtual machine. I will show a demo where I use a shell on a virtual machine to tear down another security control to allow data exfiltration out of the environment. By the end of the talk, you'll understand how to impersonate service accounts, conduct recon, and escalate your privileges from a virtual machine. You'll also get some ideas on how to mitigate against these attacks.
Here for a good time, not a long time: exploiting AWS loopholes with temporary credentials
Speaker - Jenko Hwong
I'll explore the limitations of temporary tokens including:
- The lack of visibility/management
- Minimal logging
- Limited remediation options
- How this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation.
In addition, I'll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field.
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Speaker - Erick Galinkin
What happens when attackers start taking advantage of whitelisted APIs as a form of obfuscated command and control? Companies both large and small are moving workloads to the cloud and are very concerned with how to secure their resources which actually live in AWS, GCP, and Azure. However, they don't address how enabling this access changes their internal attack surface and weakens their defenses.
In this talk, we demonstrate that attackers no longer have any reason to rely on conventional CNC, being able to outsource their costs and infrastructure management to the likes of Slack, Github, Pastebin, Dropbox, Google, and social media sites. Using these sorts of techniques, URL blacklisting becomes obsolete, IDS becomes less effective, and attackers no longer have to waste their time writing domain generation algorithms.
Specifically, I will demo a proof-of-concept malware which uses multiple SaaS services, social networks, and more conventional "cloud infrastructure" (S3) that would be extremely difficult to mitigate generically with today's IPS solutions, and we discuss how the same techniques can be used by red teams and attackers to quietly maintain persistence and exfiltrate data.
Phishing in the cloud era
Speakers - Ashwin Vamshi, Abhinav Singh
Enterprises exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create phishing attacks leading to Business Email Compromise. The talk will also deep dive into specific use cases which demonstrates their attack methodology.
We will first demonstrate the abuse of "Default Allow" policy in popular PDF readers and the use of Annotation tags in themed decoy templates. On the similar lines, we will detail an attack that abused the open redirection in Google App Engine to deliver malware.
The talk also covers the use-case of PhaaS (Phishing-as-a-Service) B-to-C model where full-fledged phishing infrastructure was hosted across several cloud services. We will then discuss some inherent design constraints and weaknesses in these services which are benefiting the cybercriminals in creating attacks to bypass modern day security solutions.
We will then understand the motivation behind this new trend, its monetary impact in the cybercrime market and its simplicity, which is appealing more and more novice cybercriminals into building their attack surfaces by abusing such services.