View this email in your browser

Release Date: 29/09/2019 | Issue: 5

"The Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.

This week's articles

Container Runtime Security Bypasses on Falco > A blog post describing some of the nuances of auditing Falco during security assessments, and demonstrating how to think through some bypasses. The post goes through common approaches taken while auditing runtime security tools, and, as bonus points, even provide a couple of bypasses (for terminal alert, sensitive volume alert, and privileged container alert).
The Path Less Traveled: Abusing Kubernetes Defaults > Slides from the talk @iancoldwater and @mauilion presented at Black Hat USA 2019. Takeaway: "check your assumptions, neither kubernetes nor the apps deployed on it are secure by default".
Azure Sentinel is now GA > Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available. It is also interesting to read design considerations related to Sentinel.
Container Image Squatting in a Multi-Registry World > Another interesting piece of research by @raesene, this time on attackers squatting on common Docker Hub accounts to try and trick users into pulling malicious images. A process made somewhat easier by the fact that you can register organization names on Quay.io. Some mitigations are provided if you’re planning to adopt podman.
Abusing VPC Traffic Mirroring in AWS > PoC script by @rhinosecurity that uses AWS VPC Traffic Mirroring to mirror and exfiltrate network traffic in AWS VPCs. Malicious VPC traffic mirroring can be extremely impactful because network traffic moving around within VPCs often contains sensitive information. The likelihood of malicious VPC traffic mirroring is also very high because there are often large amounts of cleartext traffic flowing through a VPC. One reason for the common use of cleartext traffic is that before traffic mirroring, it was very unlikely that the traffic would be sniffed, so it wasn’t very risky (think ok TLS termination for NLBs). Related script: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror/.
CVE-2019-8451 Unauthorized SSRF via REST API > As pointed out by Dino: "If you're running JIRA on AWS, consider this SSRF to be RCE".
SSRF_Vulnerable_Lab > A repository that contains sample code vulnerable to Server-Side Request Forgery attacks. But, why in PHP?!
Docker apparmor bypass that fits in a tweet > Nice and compact.
How to keep your Kubernetes secrets secure in Git > If you really really really want to store your secrets within your source code, this post describes techniques useful to use Git to keep your Kubernetes secrets secure.