Offensive Cloud Security

Breaking The Chain: How Threat Actors Exploit Supply Chains in Major CSPs

Introduction

In 2022, a significant phishing campaign known as “0ktapus” targeted Okta users, successfully bypassing their one-time code-based multi-factor authentication (MFA). Attackers sent SMS messages containing links to phishing sites that closely resembled the victims’ organizational Okta login pages. Unsuspecting employees entered their corporate credentials and 2FA codes into these fraudulent sites, which were then captured by the attackers. Many enterprises that integrated Okta with cloud service providers such as AWS, Azure, and Google Cloud Platform (GCP) for authentication and security were affected. The complexity of cloud-native architectures, shared responsibility models, and the dynamic nature of cloud environments further amplify these challenges.

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

Cloud supply chain attacks are becoming increasingly frequent and sophisticated, posing significant risks to organizations. As businesses rely more on cloud services for digital transformation, securing cloud supply chains has become a critical challenge. Unlike traditional IT environments, cloud supply chains involve multiple interconnected vendors, third-party software providers, and dependencies, each introducing security vulnerabilities. A single compromised component, such as a vulnerable third-party API, misconfigured software update, or exploited identity federation, can serve as an entry point for widespread breaches, leading to data theft, service disruptions, and regulatory

By |2025-03-07T19:38:09+02:0004/03/2025|Categories: Blog, New, Offensive Cloud Security|Tags: , , , , , , |Comments Off on Breaking The Chain: How Threat Actors Exploit Supply Chains in Major CSPs
Read More

Understanding Supply Chain Attacks in the Cloud: An Introduction to the Silent Threat

In March 2024, Microsoft employee and PostgreSQL developer Andres Freund while investigating a performance regression in Debian Sid he noticed unusually high CPU usage in SSH connections and errors in the Valgrind memory debugging tool. During his investigation, Freund discovered a backdoor in the popular Xz Utils application. He reported the findings to the Openwall Project’s security mailing list, alerting software vendors.

Andrew's first report to openwall mailing list Andrew’s first report to Openwall mailing list

The Xz Utils backdoor supply chain attack involved the insertion of malicious code into a widely used open-source library, Xz Libs, which is essential for Unix-based systems. The attacker had attempted to obfuscate the backdoor by implementing it in multiple stages. This supply chain attack gave attackers unauthorized access and control over systems using the compromised versions of the library.

The threat was particularly severe, as it targeted a critical part of server infrastructure used by millions. This incident highlighted once more the raising trend in sophisticated supply chain attack over the recent years.

Introduction to Supply Chain Attacks

What Are Supply Chain Attacks?

Supply chain attacks have existed for decades, initially focusing on physical goods and manufacturing processes, often referred to as physical supply chain attacks. Historically, adversaries exploited networks of

By |2025-02-05T11:28:56+02:0003/02/2025|Categories: Blog, Offensive Cloud Security|Tags: , , , , , , |Comments Off on Understanding Supply Chain Attacks in the Cloud: An Introduction to the Silent Threat
Read More

Abusing Azure Arc for lateral movement

What is Azure Arc ?

According to Microsoft, Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multi-cloud environments.

In simple words, Azure Arc is designed to allow you to manage resource on-premises, other public cloud (AWS, GCP, Alibaba, etc.) and edge devices (IoT) from Azure Portal.

Currently, the supported resource types which are hosted outside of Azure are the following:

  • Physical and Virtual Windows and Linux Servers
  • Kubernetes Clusters
  • Azure data services (SQL Managed Instance and PostgreSQL Hyperscale)
  • SQL Server
  • VMWare vSphere or Azure Stack HCI

Why Azure Arc ? The benefits of using Azure Arc are the following:

  • Centralize platform (Azure) to manage all resources (Azure, on-premises and multi-cloud)
  • Deploy policies and maintain compliance and governance
  • Utilize Azure Security Center
  • Patching Management
  • Azure Monitor — Forward event viewer logs to your SIEM
  • Utilize RBAC, tagging and identity policies
  • Use Automation like extension where you can install application that provide post-deployment configuration
  • There’s no cost to start. Just pay for policies and other azure services that is attached. (e.g. Azure Defender or Azure Monitor)

How to onboard on-premise or multi-cloud resource ?

Onboarding is very simple either if you want to onboard one or multiple servers.

From Azure Portal search for Azure Arc:

At left-hand side, under Infrastructure click Servers and then Add: For the purpose of the demo, we are going to onboard

By |2024-11-16T09:41:32+02:0016/11/2024|Categories: #BreachingAzure, Offensive Cloud Security|Tags: |Comments Off on Abusing Azure Arc for lateral movement
Read More

Intro To AWS Enumeration – Part 1

Hello and welcome to CloudBreach’s first blog post on “Introduction to AWS Enumeration” with a special emphasis on the security aspects. In the dynamic realm of cloud security, the paramount first step of any offensive security engagement is undoubtedly enumeration. This methodical process of gathering comprehensive information about target systems is not just a preliminary step; it is the cornerstone upon which successful security engagements are built. Even in the intricate and expansive cloud environments, the principle of ‘Enumeration First’ holds its ground as the key to unveiling the concealed vulnerabilities and potential attack vectors.

Our short blog delves deep into unlocking the secrets of unauthenticated AWS S3 enumeration through the lens of a potential adversary. Upcoming blogposts will explore the security dimensions other AWS services.

What is Amazon S3 ?

Amazon Simple Storage Service (Amazon S3) is a scalable object storage service provided by Amazon Web Services (AWS). It is designed to store and retrieve any amount of data from anywhere on the web.

Image Source: Amazon S3 Documentation [https://aws.amazon.com/s3/]

In the context of AWS enumeration, particularly when discussing Amazon S3, there are two main types of enumeration: unauthenticated and authenticated. Each type has its own methodologies, tools, limitations. In this article, we will focus

By |2024-03-10T13:26:25+02:0005/02/2024|Categories: #BreachingAWS, Offensive Cloud Security|Tags: , , , |Comments Off on Intro To AWS Enumeration – Part 1
Read More
Logo
Go to Top