Nitesh Surana is a Senior Threat Researcher with Trend Micro specializing in cloud vulnerability & security research. Recently, he's been in the top 10 Microsoft Security Researchers for 2024, primarily for his submissions via the Zero Day Initiative. His research has been presented in conferences such as Black Hat [USA, Asia], FIRSTCON, HackInTheBox, HackInParis, Nullcon, c0c0n, Vulncon, Security BSides [Delhi, Bangalore, Ahmedabad], NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending metal concerts and writing/playing music.
Links: Hacking Archives of India, LinkedIn, Twitter, YouTube, Profile Picture
FROM CODE TO CRIME: EXPLORING THREATS IN GITHUB CODESPACES @ VirusBulletin 2024, Dublin, Ireland
Cloud-based development environments enable developers to work from any device with internet access. Introduced during the GitHub Universe event in November 2022, Codespaces offers a customizable cloud-based IDE, simplifying project development. However, the openness of this service has been exploited by attackers, leading to in-the-wild campaigns leveraging GitHub Codespaces for developing, hosting, and exfiltrating stolen information.The presentation will showcase GitHub Codespaces' features and explore typical methods of abuse by threat actors, focusing on observed malicious campaigns. Highlighted is DeltaStealer, a credential-stealing malware family with diverse variants, some featuring unique capabilities like persistent Discord authentication compromise and cloud-based data exfiltration. Developed using GitHub Codespaces, these infostealers reveal interesting artifacts, including debug symbols, exposing insights into the developers' identities. The presentation will showcase social media evidence and conclude with practical recommendations on configuring cloud-based IDEs securely, identifying suspicious instances, and proactively addressing similar cyber threats.
TOKENS & TAKEOVERS: CLOUD POWERED SUPPLY CHAIN ATTACKS @ BSides Ahmedabad 2024, Gujarat, India
It takes one single misconfigured token to jeopardize cloud resources and their downstream dependent systems; a recent example being an overly permissive SAS token leading to the 2023 leak of 38 TB of Microsoft AI research data. After Microsoft's account of the incident, we did our own part in hunting for overly permissive SAS tokens. We found two different ways of controlling a widely used official Microsoft tool called PC Manager. One could eventually execute a classic supply chain attack across multiple releases of MS PC Manager that were sprinkled across the web in the form of blogs, support forums, an official website and WinGet packages. Using the SAS tokens, we could takeover every release of MS PC Manager. Furthermore, we will share our findings wherein one could inject malicious stored procedures on database backups for tutorials mentioned in official Azure docs, modify JavaScript resources being used on multiple websites using one single SAS token. To conclude, we will share what practitioners can do to proactively hunt for sensitive information in URL parameters in their environments.
ZDI Advisory | Severity | Vulnerability |
---|---|---|
ZDI-24-1181 | 7.6 | Axis Communications Autodesk Plugin Exposure of Sensitive Information Authentication Bypass Vulnerability |
ZDI-24-1177 | 9.8 | Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1176 | 9.8 | Amazon AWS aws-glue-with-s2s-vpn Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1097 | 9.9 | (0Day) Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability |
ZDI-24-1075 | 9.8 | Microsoft PowerShell Reference for Office Products officedocs-cdn Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1074 | 9.8 | Microsoft PowerShell Gallery psg-prod-centralus Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1073 | 9.8 | Microsoft Azure uAMQP azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1072 | 9.8 | Microsoft CameraTraps cameratracrsppftkje Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1071 | 9.8 | Microsoft Azure GPT ALE palantirdemoacr Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1070 | 9.8 | Microsoft Partner Resources openhacks Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1069 | 9.8 | Microsoft Technical Case Studies athena-dashboard Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1068 | 5.3 | Microsoft Azure ML.NET Samples mlnetfilestorage Uncontrolled Search Path Element Vulnerability |
ZDI-24-1067 | 9.4 | Microsoft Azure CollectSFData docs-analytics-eus Uncontrolled Search Path Element Impersonation Vulnerability |
ZDI-24-1066 | 9.8 | Microsoft Azure DataStoriesSamples machinelearningdatasets Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1065 | 9.8 | Microsoft Azure Availability Monitor for Kafka esnewdeveastdockerregistry Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1064 | 9.8 | Microsoft AirSim airsimci Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1063 | 9.8 | Microsoft Reactor Workshops reactorworkshops Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1062 | 9.8 | Microsoft Fluid Framework prague Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1061 | 9.8 | Microsoft What The Hack docsmsftpdfs Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1060 | 9.8 | Microsoft Azure Aztack aztack1528763526 Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1059 | 9.8 | Microsoft Azure Linux Automation konkaciwestus1 Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-1058 | 9.8 | Microsoft Azure NodeJS LogPoint logpointsassets Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-23-1588 | 8.8 | Microsoft Azure US Accelarators Synapse SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
ZDI-23-1528 | 10.0 | Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
ZDI-23-1527 | 10.0 | Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
ZDI-23-1056 | 4.4 | (0Day) Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability |
ZDI-23-1044 | 9.9 | (0Day) Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability |
ZDI-24-998 | 8.2 | KernelCI SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
ZDI-24-993 | 7.5 | Microsoft Azure myapiendpoint.developer.azure-api Improper Access Control Information Disclosure Vulnerability |
ZDI-24-992 | 9.8 | Microsoft Azure VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-991 | 9.8 | Microsoft Azure Arc Jumpstart Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-989 | 9.8 | Microsoft Azure Container Network Management sbidprod Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-988 | 9.8 | Microsoft Azure MQTT azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-987 | 9.8 | Microsoft Object Detection Solution Accelerator csaddevamlacr Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-986 | 9.8 | Microsoft Azure IoT Edge Dev Tool iotedgetoolscontainerregistry Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-985 | 9.8 | Microsoft Azure Service Fabric servicefabricsdkstorage Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-983 | 9.8 | Microsoft Azure Go Labs microsoftgoproxy Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-982 | 5.3 | Microsoft Azure SQL Workshop azuremlsampleexperiments Uncontrolled Search Path Element Vulnerability |
ZDI-24-981 | 9.8 | Microsoft Azure Machine Learning Notebooks azuremlpackages Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-980 | 9.8 | Microsoft Azure Machine Learning Forecasting Toolkit azuremlftkrelease Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-581 | 10.0 | Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
ZDI-24-580 | 9.8 | Microsoft Artifact Registry Container Images Empty Password Authentication Bypass Vulnerability |
ZDI-24-400 | 9.8 | Microsoft uAMQP for Python azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-396 | 9.8 | Microsoft Azure ODSP nikisos Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-24-369 | 5.3 | Google cAdvisor REST API Improper Access Control Information Disclosure Vulnerability |
ZDI-24-208 | 9.8 | Microsoft Azure MCR VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability |
ZDI-23-880 | 5.5 | Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability |
ZDI-23-380 | 6.5 | Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability |
ZDI-23-161 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |
ZDI-23-097 | 6.8 | Microsoft Azure Machine Learning Service JWT Cleartext Storage of Credentials Information Disclosure Vulnerability |
ZDI-23-096 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |
ZDI-23-095 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |