Skip to main content

ยท 8 min read
learning

Test driving the Log4Shell vulnerability with various versions of Java and observing the network egress connections

Log4Shell in a nutshellโ€‹

โžŸ An attacker is able to conduct a completely unauthenticated Remote Code Execution on a publicly-exposed service.

โžŸ If a JVM-based service (Java, Scala, etc.) is using the log4j logging library (very popular), the service is vulnerable.

โžŸ A patched version of the log4j library, version 2.15.0, that fixes this issue was released on 06 Dec 2021.

โžŸ log4j 2.16.0 was released at 13 Dec 22:28 with the following note:

ยท 10 min read
learning

Identify and protect GitHub Actions' permissible network egress, with leak detection

Story of pipeline nobody would like to see develop a leak.

GitHub Actions Pipeline Leak with Secrets and Snowflake Data

It runs in a self-hosted GitHub Actions Runner, spun up on AWS spot instances by philips-labs' terraform-aws-github-runner, connecting to Snowflake โ€“ with 'secrets' stored in GitHub itself.

๐Ÿ— we build the normal list of FQDNs such a pipeline accesses when run
๐Ÿ”’ enforce it via the discrimiNAT firewall
๐Ÿ”‡ introduce an unobtrusive curl command, like in the Codecov Uploader breach
๐Ÿšซ see it fail in exfiltrating any data from the CI environment
๐Ÿ”Ž detect the attempt in flow logs

ยท 10 min read

The week before the pentest...

Work it harder, make it better
Do it faster, makes us stronger
More than ever, hour after
Hour, work is never over


French army band medleys Daft Punk following Bastille Day parade

The situation is nothing to write home about. C2 malware, ransomware, default telemetry, use of plaintext protocols across the Internet, escalating data egress charges โ€“ you name it โ€“ this one unplugged gap in the Cloud, the outbound connections originating from your deployments, keeps on giving (or taking.)

With no human-readable visibility on any egress flows, not much you can do with all those IP addresses in the flow logs. Talk about flying blind. It's time to install a filtering proxy, and Squid is the word on the grapevine.

Let's take a deep-dive ๐Ÿ”Ž

ยท 7 min read

Why do we seek IP addresses in the Cloud-first world?

  • Is it the mindset leftover from the bygone era of procured hardware & CIDR blocks?
  • Is it the availability of published IP ranges that makes you want to utilise them?
  • Or is it a hard bit of how the internet works to detach from?

Let's consider the case of Datadog Agent v7.32.3, the endpoint for which, as per official docs, would simply be 7-32-3-app.agent.datadoghq.com. This is the contract Datadog will fulfil, and we shouldn't assume more.

But first, Datadog IP ranges at present...

ยท 7 min read
learning

A closer look at what data is sent to entropy.ubuntu.com on Cloud instance boot

Routine Testโ€‹

At Chaser, we routinely test a variety of real-world setups through the discrimiNAT firewall. It helps keep on top of implementation subtleties by different vendors and identify any regressions early as we improve the product.

FQDN filter for Ubuntu on GCP egress, shall we?

So we fire up Ubuntu Bionic Beaver LTS this time, with egress allowed to 0.0.0.0/0 on all ports.

ยท 3 min read
learning

Observation of traffic from a Windows Server 2019 instance with a firewall restricting its egress, and a CloudWatch exercise in filtering and aggregation

Routine Testโ€‹

At Chaser, we routinely test a variety of real-world setups through the discrimiNAT firewall. It helps keep on top of implementation subtleties by different vendors and identify any regressions early as we improve the product.

FQDN filter for Windows on AWS egress, shall we?

So we fire up the latest and greatest Windows this time, with outbound allowed to 0.0.0.0/0 on all ports.