Threat Actor Publishing Fake GitHub PoCs, Effective Remote Work Habits, and a Methodology for Migrating Off IMDSv1
Welcome to the first Datadog Security Digest of 2025!
Threat Actor Publishing Fake GitHub PoCs
Datadog investigated a threat actor, dubbed MUT-1244, who's been publishing fake GitHub repositories that mimic exploit code and targeting offensive actors such as security engineers and penetration testers. Our investigation also dives into:
- A phishing campaign that the threat actor also used as one of the initial access vectors
- 390,000 leaked credentials from a malicious actor who was using one of the fake PoCs
- An interactive graph of a cluster of fake GitHub accounts and their interactions with each other
Come say hi on Bluesky!
Datadog Security Labs now has its own Bluesky account, @securitylabs.datadoghq.com. Follow us to get notified about our latest research! We also created a starter pack that allows you to follow, in a single click, the Bluesky accounts for a number of Datadog security researchers and authors.
Effective habits of remote workers
With remote work being as common as it is today, it's important to be intentional about dealing with distance, timezones, and video meetings. A while back, our very own engineering director Cody Lee wrote an internal wiki page sharing his tips for successful remote work. Now he has gone a step further and published his guide publicly.
Migrating from IMDSv1 to IMDSv2
Enforcing IMDSv2 is a critical security mechanism in AWS environments. As of late 2024, only one in three EC2 instances enforces it. While this rate of enforcement is getting better, it is still inadequate. In this post, several members of Datadog's engineering team explore strategies to migrate off IMDSv1, including gaining process-level visibility into IMDSv1 usage for effective remediation.
Secure your container images with signature verification
One of the first things an attacker does when gaining access to a cluster is to run new containers, often with external or untrusted images. Enforcing container image signing ensures that all images running in your cluster have gone through your usual release process. In this post, Bowen Chen talks about threat modeling for containers, introduces basic concepts about container image signing, and finally describes a container signing architecture similar to the one we use internally at Datadog.
How to Say "No" Well
Former UK Prime Minister Tony Blair once said "The art of leadership is saying no." However, a "no" from security teams should come with a purpose and not undermine trust within the rest of the organization. In his recent blog post, Rami McCarthy shares his experience on saying "no" in a productive, respectful, and forward-looking way. He also discusses the different types of "noes" and how to earn the privilege of saying "no" in the first place.
Defining Security Invariants
In software engineering, an "invariant" is an assumption that never changes within certain execution boundaries of a program. Security craves invariants, we can also be referred to as guardrails. They are highly valuable and can help you avoid incidents by proactively ensuring that you're not misconfiguring resources. Cloud providers have released a number of these kinds of guardrails, such as S3 Public Access Block, in the past few years. In this post, Chris Farris lists a number of invariants that you can enforce on AWS by using various mechanisms, such as service control policies (SCPs) and the newly-released resource control policies (RCPs).
Introducing the open source Supply-Chain Firewall
GuardDog, one of our most popular open-source projects, allows you to scan PyPI and npm packages for indicators of maliciousness. Building on this tool, we released the Supply-Chain Firewall, another open source project that you can use as a drop-in replacement for "pip install" and "npm install" and that will automatically block known-malicious packages.
Security is about handling false positives and surfacing what matters
In security, as in many domains, less is more. The myriad of new security tooling brings great opportunities, but there's also a critical risk that what matters gets lost in the noise. For instance, we previously assessed that only 5 percent of application-level vulnerabilities are worth prioritizing. With his application security and SecOps background, Jonathan Price gives actionable advice on how to cut through the noise, fix root causes instead of symptoms, and make the best out of your existing security tooling.
Tales from the cloud trenches: the unwanted visitor
We observed malicious activity in an AWS environment where the attacker compromised an IAM user access key, used it to generate an AWS Console sign-in link, and persisted by creating a new IAM role with a trust relationship to an attacker-controlled AWS account.
Security Events Spotlight
Livestream: State of Cloud Security, with Chris Farris and Michael St.Onge
Back in October, we released the State of Cloud Security 2024 study, where we analyzed security posture data from thousands of organizations that use AWS, Azure, or Google Cloud.
Join this livestream on January 29 at 11:00am ET for a fun and instructive event discussing, debating, and disagreeing on these trends and their implications!
Video recordings from 38C3 (and our top picks)
Every year before Christmas and New Year's Eve, the annual congress of the Chaos Computer Club, one of Europe's oldest associations of hackers, takes place in Germany. Fun fact: In 1989, the French security agency DST (which was then the equivalent of the US Department of Homeland Security) created the Chaos Computer Club France—a completely fictitious organization—with the goal of tracking and arresting French black hats.
Our top picks:
- Fearsome File Formats by Ange Albertini
- How to use distributed sensors to identify and take down adversaries by Lars König
- From Simulation to Tenant Takeover by Vaisha Bernard
- Real World Impact of Weak Cryptocurrency Keys by John Naulty
- Discriminatory effects of welfare automation by Amnesty Digital
Meet Datadog researchers at February conferences
With the new year comes a set of exciting new talks from Datadog researchers! In February, we'll host two talks in Europe:
- Ian Kretz and Sebastian Obregoso at FOSDEM on February 1st: How Threat Actors Are Weaponizing Your Favorite Open-Source Package Registry
- Rory McCune at State of Open on February 5th: Containers Rule Everything Around Me
Stay tuned for more!
Datadog Security Releases
Discover our latest security updates and explore in-depth resources.
Detect malicious activity in Google Workspace
Cloud SIEM now supports several out-of-the-box rules to detect malicious activity in Google Workspace. These rules for Google Workspace can detect many different types of suspicious events, such as a user connecting from a Tor IP address or an attacker setting up a malicious email forwarding rule.
Agentless scanning now available for Azure
Back in June, we released agentless scanning for AWS, allowing you to easily scan your virtual machines and containers without an agent. We’re pleased to announce that agentless scanning is now available in preview for Azure!
Reference tables in Cloud SIEM rules
Reference tables are useful for enriching your logs with custom data sources, such as the department of an employee or the email address associated with a device. Good news: You can now use these reference tables within your Cloud SIEM rule definitions to add context and filter out unneeded data!
Close the loop with infrastructure as code security
Datadog Code Security can now scan your infrastructure-as-code(such as Terraform code) and surface security issues early in the development lifecycle. It can also automatically post comments on a pull request via Datadog’s GitHub integration.
Detect malicious activity in Amazon Bedrock
Since the explosion of GenAI services, Amazon Bedrock has become a popular service. It's no surprise that attackers are following this trend by finding ways to exploit it. Based on malicious activity we identified, we've released two high-signal rules to detect suspicious activity in Bedrock: Amazon Bedrock console activity, and Amazon Bedrock activity InvokeModel multiple regions.
Thank you for reading—we'd love to hear from you! Reach out at securitylabs@datadoghq.com to provide feedback, ideas, or just say hello.