Google Cloud Trends, DPRK npm Threats, & Privilege Escalation Walkthroughs

Welcome to our November edition!

This month, we’ve once again selected some of our favorite stories from Datadog researchers and the broader security community. This edition contains stories of DPRK threat actor attribution, Azure API privilege escalation, and npm supply chain vulnerabilities that led to responsible disclosure.

We’ve also included our own analysis of Google Cloud default service account trends and the risks associated with them, and highlighted two new cloud security reference guides—one is collection of security best practices for operating public cloud footprints effectively, and another explains AWS IAM Condition operators in great depth.

Google Cloud Default Service Accounts Hero

If you’ve used Google Cloud, you’re likely familiar with default service accounts. These accounts grant virtual machines and Google Kubernetes Engine (GKE) clusters default permissions—which, as it turns out, allow access to all cloud storage within the project, as well as the ability to list and pull all private container images.

Is this really an issue? After analyzing thousands of Google Cloud resources, we found that over one in three virtual machines and nearly half of GKE clusters rely on the default service account. Read on for exclusive, in-depth insights into usage patterns for default compute service accounts on Google Cloud.

AWS introduces resource control policies

AWS customers who use AWS Organizations to manage their multiple AWS accounts now have a new tool to help them keep their data safe: resource control policies (RCPs). RCPs are similar to service control policies (SCPs) in that they are configured at the Organization level and can be applied to children accounts. However, where SCPs allow you to set maximum permissions on IAM principals, RCPs allow you to set maximum permissions on resources, like S3 buckets, SQS Queues, or or KMS keys. Only five services are supported at launch, but we expect that RCPs will be available for more resource types over time.

Roni Carta shares a fascinating story involving an npm-based dependency confusion vulnerability he and his brother identified in HashiCorp’s Consol tool. They initially thought that just PnPm was vulnerable to this attack and created a proof-of-concept exploit for Hashicorp. However, they soon realized a Fortune 500 company pulled their payload using the official npm package, which led them into another coordinated disclosure that resulted in a $17k bounty.

Cloud guardrails

Mark Andersen, William Bengtson, Adam Cotenoff, Houston Hopkins, Travis McPeak, and Nicholas Siow have open sourced a collection of security best practices for operating public cloud footprints effectively. They’ve made this important dataset both easy to consume and easy to contribute to!

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Our own Ian Kretz and Sebastián Obregoso identified and investigated three malicious npm packages that contained JavaScript infostealers and downloaders used by threat actors associated with the Democratic People’s Republic of Korea (DPRK, also referred to as North Korea). They dive deep into their analysis of the malware and explain in detail how they attributed the malware to previously observed threat actors.

Escalating from reader to contributor in Azure API Management

Christian August Holm Hansen shares details about security vulnerabilities in Azure API Management (APIM) that allowed someone with basic Reader permissions to the APIM service to escalate privileges to full control of the APIM service. He first shares some neat tricks around using older versions of the APIM API to access functionality that has been fixed in newer versions. He then shows how he found an endpoint in an old API that allowed him to get a Shared Access Signature (SAS) token, granting him privileges of the built-in Administrator, but scoped to the APIM service. This specific privilege escalation was fixed by Microsoft, but the concept of accessing older APIs is an interesting one!

IAM Condition operators explained

Cloud Copilot has been busy creating multiple AWS IAM-related tools and reference guides. They recently released a comprehensive explainer detailing all of the ways you can use Condition operators within AWS IAM policies. For each operator, they give multiple examples and explain what the result would be for each. If you create or audit IAM policies, this is a reference guide you want to bookmark.

From on-prem to cloud: Detect lateral movement in hybrid Azure environments

Many attacks that start on-prem and lead to cloud access rely on exploiting already existing authenticated cloud sessions. This makes detection difficult, but not impossible. This article walks you through what on-prem-to-cloud lateral movement looks like in hybrid Azure environments, and which signals might help you catch this type of malicious activity.

Security Event Spotlight

Heading to AWS re:Invent? Don’t miss out on what Datadog has planned! Be sure to check out these must-attend security sessions:

AWS re:Invent SEC406-S | Beyond just observing, protecting your whole software supply chain

Andrew Krug, Head of Security Advocacy, and Zack Allen, Senior Director of Security Research, will explore software supply chain best practices and discuss Datadog’s open source tool GuardDog, highlighting how they use it to protect critical repos. They’ll also provide insight into how Datadog Application Vulnerability Management helps you prioritize security findings in your AWS environment.

AWS re:Invent ARC212-S | How Cambia supercharged their Amazon EKS-based platform

Kyle Murphy, Platform Infrastructure Engineer at Cambia Health Solutions, will share how Cambia migrated from Amazon ECS to Amazon EKS. Kyle will talk about the tools they’ve used to increase their development velocity, improve reliability, and harness more power from their AWS compute resources.

Datadog Security Releases

Discover our latest security updates and explore in-depth resources.

Use Security Context Map to visualize complex relationships

Security Context Map

Graphs make it easier for users to visualize the relationships between different entities and understand the related context. With Security Context Map, teams get a clear picture of their environments and potential breach points that malicious actors may exploit.

Datadog Application Exploit Prevention

We recently announced Datadog Exploit Prevention (also known as runtime application self-protection, or RASP), a new security feature in Datadog Application Security Management (ASM). Exploit Prevention uses the Datadog tracer to control application execution in order to protect your system from runtime threats before code execution.

Datadog OOTB rules and security content updates (October 2024)

In October 2024, Datadog's Security Research & Product Detection Engineering teams released three new detections for CSM Threats; 32 new detections for Cloud SIEM across nine log sources; 28 CSPM rules touching AWS, Google Cloud, and Azure; and one new attack path detection!

Monitor your Windows event logs with Datadog Cloud SIEM

Datadog’s Windows event log integration enables you to ingest and process windows event data so you can analyze, generate metrics, and alert on them from a centralized platform. You can use Datadog Cloud SIEM to automatically detect suspicious Windows activity with OOTB threat detection rules and gain an at-a-glance overview of threat activity with enhanced dashboards.