Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor
Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).
Read More
New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns
Commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse.
Read More
Legion: The Latest Threat in Mass Spam Attacks
Cado and Permiso researchers team up to do a breakdown of Legion's toolset and discuss the review some of the differences between Legion and the likes of AndroxGh0st and Greenbot.
Read More
Our Approach to Detection: AndroxGh0st and GreenBot Edition
From atomic indicators to TTPs, in this article, the Permiso p0 Labs team discusses their approach to detecting AndroxGh0st and Greenbot persistence modules.
Read More
How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore
AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. We'll break down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.
Read More
Gather Round the Watering Hole, We have a story to tell
Watering hole phishing attack targeted at users of AWS Management Console via Google ads!
Read More
SES-pionage
What do attackers do with exposed AWS access keys? We look inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.
Read More
Cloud Cred Harvesting Campaign - Grinch Edition
The Grinch targets Jupyter this Christmas with a cloud cred harvesting campaign.
Read More
AWS Enhancements to UpdateLoginProfile and CreateLoginProfile logging
Logging by cloud providers and identity providers sometimes does not contain the level of detail needed for detections. We found a case in AWS when a login profile is created or updated without the reset password flag set to true.
Read More
Password spray enters the Okta-gon
Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Permiso identified a large Okta password spraying campaign that took place in late August.
Read More
You down with IDP? Impersonate me!
Permiso Security and ACV Auctions, while collaborating on cloud detection efforts, discovered an impersonation technique in Okta application user assignments. This technique is being utilized for both benign and nefarious purposes.
Read More
Anatomy of an Attack: Exposed keys to Crypto Mining
At Permiso, we find that the majority of incidents we discover or respond to, start with exposed access keys. Attackers leverage these keys to gain access, then setup a mechanism to establish persistence, perform reconnaissance, and complete their mission.
Read More