An area needing attention for protecting modern applications against threats👇
-access via IDP identities
-LUCR-3 uses SaaS applications to learn how the victim organization operates and how to access sensitive information."
#cloudsecurity#iam#sspm#appsec@permisosecurity
Dadgum, this is a good and content-rich read. Lots of crisp TTPs to consider detections for. https://t.co/bDos5TqScy // hat tip @permisosecurity@TekDefense
Beware of LUCR-3! 🚨 Threat actor that overlaps with Scattered Spider, Oktapus, UNC3944, & STORM-0875, they exploit IDPs for initial access & aim to steal IP for extortion. They use victims' tools and evade detection with expertise. @permisosecurity
https://t.co/WEbwLJkBWY
📴Hopefully your org doesn't allow SMS for 2FA (especially for privileged accounts in Azure AD).
Don't stop at disabling it. Monitor for threat actors trying to modify it. Nice transparency into threat actor tampering & recommendations @TekDefense/@p0Labs
📰Full blog: https://t.co/3nj1fsjRha
Excellent 🆕blog from @permisosecurity on the most disruptive criminal intrusion set we're all working on. Blog details evasive techniques scattered across SaaS & multi-cloud environments.
Keep an eye out for usage of deprecated #AWS policies. @gl4ssesbo1 makes his @permisosecurity@P0Labs blog debut talking about the dangers of the deprecated policy AmazonEC2RoleforSSM https://t.co/VNsy25x7AY
Here @permisosecurity the focus is on detection of #identity and #cloud threat activity. #Detection can be an art form with various methodologies. In this article we describe our approach to detection using AndroxGh0st and GreenBot as an example!
https://t.co/HXJSOaZHex
.@TekDefense & the @permisosecurity p0 Labs team get it.
This time showing you how older techniques like HIST* mods can be combined with new signal to hunt for credential harvesting campaigns
$hist1 = "HISTSIZE=0"
$hist2 = "unset HISTFILE"
🆕 https://t.co/vaOPwfaUi2 🎅
🔖 Cloud Cred Harvesting Campaign
A credential harvesting campaign targeting cloud infrastructure. The majority of the victim system were running public facing Juptyer Notebooks. From @permisosecurity
https://t.co/nc1PA38eIB
@permisosecurity & @ExpelSecurity both writing a blog within a week of each other explaining how threat actors are exploiting the Simple Email Service (SES) within #aws. Please read and learn from these articles! https://t.co/wybt8CwSCy #cloud#threatdetection
🔖 SES-pionage
What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it. From @permisosecurity
https://t.co/I5y9RNRb9z
Last week we @permisosecurity wrote an article https://t.co/sG2UoxxHz0 speaking to a #google ads phishing campaign targeting #brazilian#AWS users.
@TomHegel discovered the next phase of the attackers campaign, catch the details from the @SentinelOne team https://t.co/p0GNJdiecb
2022 was a great year for the @permisosecurity@P0Labs team. Hundreds of hours dedicated to researching, detecting, and helping our clients responds to #cloud attacks. Here are some of our observations:
https://t.co/KzSjJXHsy3
Compromised Access Keys aren't the only vector for #cloud Attacks. Checkout our (@permisosecurity ) latest article where we detail an ongoing wateringhole attack targeting #AWS management console users via #google ads.
https://t.co/ykTPw0qwHd
Checkout some of the great research from the @permisosecurity@P0Labs team from last year:
1. #Okta Impersonation: https://t.co/LbG8p6iwgt
2. Anatomy of an #AWS attack: https://t.co/JtC94UHT0C
3. #Cloud Cred Harvesting: https://t.co/a6R8G43x3n
... and more!
I'm super excited to announce that I've joined @permisosecurity as a Principal Security Researcher!
Stoked to be reunited with the fiercely fun & technical @TekDefense on the @P0Labs research team. Several weeks in & I'm super impressed by the team, tools, data & capabilities.