Nick Frichette Profile picture
Staff Security Researcher @datadoghq | DEF CON/Black Hat main stage speaker | he/him | OSCP OSWE | Tweets are my own | Created https://t.co/QGWMJjv9pc
Oct 4 12 tweets 4 min read
Great blog post from @permisosecurity on LLMHijacking attacks against AWS Bedrock. I remember when we first started seeing this behavior from threat actors and I couldn't figure out why they would target Bedrock. Well, I guess we have on answer. 🧵
permiso.io/blog/exploitin… I wanted to talk a little bit about some of their tradecraft because it's interesting and adjacent to the undocumented API stuff I've been doing. In particular, these TAs were invoking a number of APIs which only appear in the console. Image
May 28 9 tweets 2 min read
New AWS vulns! We found more ways to bypass AWS CloudTrail! We also describe methods Penetration Testers and Red Teamers can use to evade detection in AWS environments!
securitylabs.datadoghq.com/articles/non-p… First, let's talk about silent permission enumeration. You know how threat actors steal AWS creds and then immediately spam a bunch of API calls looking for what they can access? That's great for defenders because it's fairly apparent when it occurs. We've found a way around that
Mar 3 24 tweets 7 min read
It's a beautiful Sunday, so let's chat about hacking AWS environments! In this thread, I want to talk about an interesting quirk with Amazon Cognito, demo why least privilege is the most important thing in the cloud, and emphasize that mitigations aren't always enough. A 🧵 For the demo we have an Identity pool which supports guest access and has a user pool attached for authenticated access. The Identity pool does NOT have the classic flow enabled, and the user pool does NOT allow registration (this is important later). Image
Feb 3 42 tweets 27 min read
As someone involved in the AWS offsec space, I want to share why I strongly do NOT recommend the HackTricks AWS Red Team Expert course. The author of it is a plagiarist, stealing content from other creators and is directly profiting off of it through sponsorships. A 🧵 The nature of the plagiarism depends per article. Sometimes it's entirely copy-pasted from another source. Sometimes it's only a couple paragraphs. Sometimes there is a "reference" (a link at the bottom of the page where it was copied from), but that hardly fits the meaning.
Jan 31 34 tweets 9 min read
Today is an interesting day! I read a report about a threat actor, and for once I'm impressed! This is the first I can remember in which a TA has displayed NEW tradecraft, before researchers have shared it widely. Let's review in this 🧵
invictus-ir.com/news/the-curio… Okay, starting off rough. There was an access key that was exposed that had AdministratorAccess. This happens way too frequently and is always a major risk. Security Teams: Delete these keys and these IAM users! They are a major risk to you. Let's see what the TA does with this Image
Nov 7, 2022 27 tweets 6 min read
As security researchers, we don’t often discuss failed research projects. While it may be a bit embarrassing to not succeed, there are still lessons learned from the project. In this thread, I’d like to share research I’ve been doing on-and-off on identifying AWS honeytokens. 🧵 (Side note before diving in: If you do find a way around this, I would love to feature your work on Hacking the Cloud)
Feb 7, 2022 12 tweets 3 min read
Thinkst (who I love btw) has a great post about attackers targeting AWS API keys. I'd like to expand on this a bit and discuss a technique not mentioned in the post (but it is on Hacking the Cloud) 1/x hackingthe.cloud/aws/enumeratio… Please note: I'm not focusing on the CanaryToken product itself. Instead I'll be describing validating regular stolen AWS credentials.
Jan 20, 2022 4 tweets 2 min read
Tremendous news everyone (in offsec)! There's a bypass for the new GuardDuty InstanceCredentialExfiltration finding! It's via VPC endpoints! (I caution this is with limited testing) ImageImageImageImage So it looks like you can steal IAM credentials from a EC2 instance and then you can create your own EC2 but stick it in a private subnet along side a ton of VPC Endpoints (to be clear this is still remarkably painful and annoyting, but at least for now it wont show in GuardDuty
Sep 27, 2021 14 tweets 4 min read
So uhh, someone managed to foil my plan of going to bed early tonight. I got a notification to my personal email that I successfully registered a Cloudflare account......I don't use Cloudflare. Join me in my journey to figure out what happened... This had me scrambling. Why would someone register a Cloudflare account in my name? What would someone get out of doing this? Did I accidentally do this? What do I know about Cloudflare? Is this phishing? (Couldn't be phishing, this is a terrible pretext. Domains checked out).