Nitesh 'ideaengine007' Surana

Nitesh Surana is a Senior Threat Researcher with Trend Micro specializing in cloud vulnerability & security research. Recently, he's been in the top 10 Microsoft Security Researchers for 2024, primarily for his submissions via the Zero Day Initiative. His research has been presented in conferences such as Black Hat [USA, Asia], FIRSTCON, HackInTheBox, HackInParis, Nullcon, c0c0n, Vulncon, Security BSides [Delhi, Bangalore, Ahmedabad], NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending metal concerts and writing/playing music.

Links: Hacking Archives of India, LinkedIn, Twitter, YouTube, Profile Picture

Upcoming Talks

FROM CODE TO CRIME: EXPLORING THREATS IN GITHUB CODESPACES @ VirusBulletin 2024, Dublin, Ireland

Cloud-based development environments enable developers to work from any device with internet access. Introduced during the GitHub Universe event in November 2022, Codespaces offers a customizable cloud-based IDE, simplifying project development. However, the openness of this service has been exploited by attackers, leading to in-the-wild campaigns leveraging GitHub Codespaces for developing, hosting, and exfiltrating stolen information.The presentation will showcase GitHub Codespaces' features and explore typical methods of abuse by threat actors, focusing on observed malicious campaigns. Highlighted is DeltaStealer, a credential-stealing malware family with diverse variants, some featuring unique capabilities like persistent Discord authentication compromise and cloud-based data exfiltration. Developed using GitHub Codespaces, these infostealers reveal interesting artifacts, including debug symbols, exposing insights into the developers' identities. The presentation will showcase social media evidence and conclude with practical recommendations on configuring cloud-based IDEs securely, identifying suspicious instances, and proactively addressing similar cyber threats.


TOKENS & TAKEOVERS: CLOUD POWERED SUPPLY CHAIN ATTACKS @ BSides Ahmedabad 2024, Gujarat, India

It takes one single misconfigured token to jeopardize cloud resources and their downstream dependent systems; a recent example being an overly permissive SAS token leading to the 2023 leak of 38 TB of Microsoft AI research data. After Microsoft's account of the incident, we did our own part in hunting for overly permissive SAS tokens. We found two different ways of controlling a widely used official Microsoft tool called PC Manager. One could eventually execute a classic supply chain attack across multiple releases of MS PC Manager that were sprinkled across the web in the form of blogs, support forums, an official website and WinGet packages. Using the SAS tokens, we could takeover every release of MS PC Manager. Furthermore, we will share our findings wherein one could inject malicious stored procedures on database backups for tutorials mentioned in official Azure docs, modify JavaScript resources being used on multiple websites using one single SAS token. To conclude, we will share what practitioners can do to proactively hunt for sensitive information in URL parameters in their environments.

ZDI Submissions (for upcoming advisories, grep @_niteshsurana)

ZDI Advisory Severity Vulnerability
ZDI-24-1181 7.6 Axis Communications Autodesk Plugin Exposure of Sensitive Information Authentication Bypass Vulnerability
ZDI-24-1177 9.8 Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1176 9.8 Amazon AWS aws-glue-with-s2s-vpn Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1097 9.9 (0Day) Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability
ZDI-24-1075 9.8 Microsoft PowerShell Reference for Office Products officedocs-cdn Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1074 9.8 Microsoft PowerShell Gallery psg-prod-centralus Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1073 9.8 Microsoft Azure uAMQP azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1072 9.8 Microsoft CameraTraps cameratracrsppftkje Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1071 9.8 Microsoft Azure GPT ALE palantirdemoacr Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1070 9.8 Microsoft Partner Resources openhacks Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1069 9.8 Microsoft Technical Case Studies athena-dashboard Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1068 5.3 Microsoft Azure ML.NET Samples mlnetfilestorage Uncontrolled Search Path Element Vulnerability
ZDI-24-1067 9.4 Microsoft Azure CollectSFData docs-analytics-eus Uncontrolled Search Path Element Impersonation Vulnerability
ZDI-24-1066 9.8 Microsoft Azure DataStoriesSamples machinelearningdatasets Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1065 9.8 Microsoft Azure Availability Monitor for Kafka esnewdeveastdockerregistry Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1064 9.8 Microsoft AirSim airsimci Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1063 9.8 Microsoft Reactor Workshops reactorworkshops Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1062 9.8 Microsoft Fluid Framework prague Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1061 9.8 Microsoft What The Hack docsmsftpdfs Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1060 9.8 Microsoft Azure Aztack aztack1528763526 Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1059 9.8 Microsoft Azure Linux Automation konkaciwestus1 Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-1058 9.8 Microsoft Azure NodeJS LogPoint logpointsassets Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-23-1588 8.8 Microsoft Azure US Accelarators Synapse SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
ZDI-23-1528 10.0 Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
ZDI-23-1527 10.0 Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
ZDI-23-1056 4.4 (0Day) Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability
ZDI-23-1044 9.9 (0Day) Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability
ZDI-24-998 8.2 KernelCI SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
ZDI-24-993 7.5 Microsoft Azure myapiendpoint.developer.azure-api Improper Access Control Information Disclosure Vulnerability
ZDI-24-992 9.8 Microsoft Azure VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-991 9.8 Microsoft Azure Arc Jumpstart Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-989 9.8 Microsoft Azure Container Network Management sbidprod Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-988 9.8 Microsoft Azure MQTT azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-987 9.8 Microsoft Object Detection Solution Accelerator csaddevamlacr Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-986 9.8 Microsoft Azure IoT Edge Dev Tool iotedgetoolscontainerregistry Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-985 9.8 Microsoft Azure Service Fabric servicefabricsdkstorage Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-983 9.8 Microsoft Azure Go Labs microsoftgoproxy Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-982 5.3 Microsoft Azure SQL Workshop azuremlsampleexperiments Uncontrolled Search Path Element Vulnerability
ZDI-24-981 9.8 Microsoft Azure Machine Learning Notebooks azuremlpackages Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-980 9.8 Microsoft Azure Machine Learning Forecasting Toolkit azuremlftkrelease Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-581 10.0 Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability
ZDI-24-580 9.8 Microsoft Artifact Registry Container Images Empty Password Authentication Bypass Vulnerability
ZDI-24-400 9.8 Microsoft uAMQP for Python azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-396 9.8 Microsoft Azure ODSP nikisos Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-24-369 5.3 Google cAdvisor REST API Improper Access Control Information Disclosure Vulnerability
ZDI-24-208 9.8 Microsoft Azure MCR VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability
ZDI-23-880 5.5 Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability
ZDI-23-380 6.5 Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability
ZDI-23-161 6.5 Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
ZDI-23-097 6.8 Microsoft Azure Machine Learning Service JWT Cleartext Storage of Credentials Information Disclosure Vulnerability
ZDI-23-096 6.5 Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
ZDI-23-095 6.5 Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability

Blogs

Public Mentions

Talks

Misc


This page is heavily inspired from James Kettle

"It has to start somewhere. It has to start sometime. What better place than here? What better time than now?"