The whoAMI name confusion attack, modern phishing tactics, and K8s network security fundamentals
We recently published new research covering how attackers can create malicious Amazon Machine Images (AMIs) with specially crafted names and cause insecure code to retrieve them, leading to remote code execution in victims' AWS accounts. This happens when client-side code, such as Terraform, queries AMIs based on a name pattern without specifying an owner.
We found that thousands of AWS accounts are likely vulnerable to this name confusion attack, dubbed "whoAMI." We also confirmed that internal services belonging to AWS were vulnerable and would pull such maliciously named AMIs (the issue has now been remediated). Finally, we released a new open source project, whoAMI-scanner, that you can easily run in your environment to identify any possibly malicious AMI.
This research gained media attention from TheHackerNews and BleepingComputer.
Threat roundup for end-of-year 2024
Based on our telemetry and threat research, we published our findings for common attacker tactics, techniques, and procedures (TTPs) that we've witnessed in the wild. Spoiler: whether you’re using AI services, npm packages, or GitHub repositories, attackers meet developers where they are.
Hunt for malicious Entra ID applications in your environment
Attackers often use malicious OAuth 2.0 applications to steal sensitive data. After months of research, Matt Kiely of Huntress shares insights on identifying malicious Entra ID applications in your environment. Plus, he provides an open source tool you can begin using immediately!
"Stock" vs. "flow" in application security
Whether in accounting, business, or economics, “stocks” and “flows” are crucial concepts for modeling both the current state of a system (stock, like your bank account's current value) and movement or changes over time (flow, such as your monthly salary). Sandesh Mysore Anand applies this concept to application security, arguing that it's important to manage both new vulnerabilities (flow) and existing ones in production (stock).
Sophisticated phishing campaign leveraging legitimate Google domain
Some phishing campaigns are so convincing that they can deceive even the best engineers into sharing their credentials or accepting multi-factor authentication (MFA) prompts. Zach Latta experienced such a campaign firsthand. Scammers spoofed a legitimate Google phone number, spoke flawless American English, and sent emails from a genuine Google-owned domain (g.co). In Zach's own words, this was a "near miss".
In response, Google has reportedly closed the loophole that allowed anyone to send emails from g.co subdomains by linking them to a Google Workspace subscription without verifying domain ownership.
Adversary-in-the-middle incident in Entra ID
Adversary-in-the-middle (AiTM) is a modern form of phishing that allows an attacker to bypass software multi-factor authentication (MFA). Invictus Incident Response reports an incident leveraging AiTM and using Dropbox to further attempt to spread in a victim's organization.
Threat actors using device code phishing to compromise corporate accounts
Microsoft and Volexity have spotted several “device code phishing” campaigns starting in August 2024, with some still active. These campaigns bypass multi-factor authentication (MFA), access corporate accounts, search for files with specific keywords, and exfiltrate them. Make sure to block device code authentication in Entra ID using a conditional access policy.
Sendbird's journey into securing AWS accounts
Securing an existing cloud environment is a journey that requires vision, pragmatism, and prioritization. Laxman Eppalagudem shares his experience improving the security of Sendbird's AWS environment. His efforts included removing IAM users, starting a threat detection program, implementing Service Control Policies (SCPs), and enabling engineers to access databases in a secure and auditable way.
Identify misconfigurations in your Entra ID app registrations used for OIDC flows
In our previous research, we found that many AWS IAM roles using OIDC were misconfigured, allowing any GitHub Action to assume them. In a new post, Karim El-Melhaoui introduces an open source tool to analyze trust relationships related to GitHub Actions on Entra ID app registrations and identify vulnerabilities.
Kubernetes network security fundamentals
Combining “Kubernetes” and “networking” in the same sentence can make anyone feel uneasy. We challenged our own Rory McCune to add “security” to the mix while keeping it hands-on and engaging.
Security Events Spotlight
Watch the recording of our State of Cloud Security livestream, featuring Chris Farris and Michael St.Onge
We were live a few weeks ago with Chris Farris and Michael St.Onge, chatting about the latest cloud security trends. Missed it? We've got you covered! The recording is now available below.
Meet Datadog researchers at industry conferences
In the coming weeks, we have a full schedule of exciting talks at security conferences:
- 🇬🇧 Rory McCune at Securi-Tay on February 28: Container Security and Hacking with Docker and Kubernetes (workshop)
- 🇬🇧 Tai Huynh at Securi-Tay on February 28: Running Effective Gamedays to Build System Resilience
- 🇺🇸 Kennedy Toomey at SunSecCon on March 7: Exposed Detection Rules: What’s Next for Defenders?
- 🇨🇭 Christophe Tafani-Dereeper at Insomni'hack on March 13: Code to Cloud: Exploiting Modern Web Applications to Breach Cloud Environments
- 🇨🇭 Rory McCune at Insomni'hack on March 14: Beyond the Surface: Exploring Attacker Persistence Strategies in Kubernetes
fwd:cloudsec North America 2025 in Denver
fwd:cloudsec, the first vendor-neutral cloud security conference, returns this year on June 30–July 1 in Denver, Colorado. While tickets are sold out, you can still secure a spot by submitting to the CFP, which is open until April 11.
Based in Europe? Expect some announcements soon for the second European edition!
Watch the FOSDEM 2025 talk “How Threat Actors Are Weaponizing Your Favorite Open Source Package Registry”
Our security researchers Ian Kretz and Sebastian Obregoso showcased their work on software supply chain security at FOSDEM in Brussels. Ian and Sebastian, based respectively in Paris and Madrid, maintain open source projects like GuardDog, the Software Supply Chain Firewall, and the Malicious Software Packages Dataset.
Thank you for reading—we'd love to hear from you! Reach out at securitylabs@datadoghq.com to provide feedback, ideas, or just say hello.