Asaf Aprozper
Asaf’s work in information security spans well over a decade, primarily focusing on security research, cloud security and external attack surface, malware analysis, threat hunting, and incident response. Today working as the Head of SecOps at Moon Active.
His career in cybersecurity began at the Israeli intelligence agency, and continued in the private sector as a Cyber Analyst in the largest bank in Israel, even before joining AVG as a mobile security researcher. Asaf also gained a wealth of practical experience in the industry as a Security Researcher at Minerva Labs where he perfomed malware analysis and worked as the Head of Research at Reposify for scanning the global internet for publicly exposed assets for companies.
Asaf has previously presented talks at multiple world’s leading information security conferences, including CodeBlue Japan, BSidesCyprus, and arsenal talk at Black Hat USA. As well as published various security research articles, and developed open-source security tools that were published to the community.
Session
In the world of cloud computing, protecting networks from unauthorized access is critical. While some misconfigurations, such as allowing access from any IP address are widely known, a new and less-discussed risk has emerged: the use of lookalike private IP ranges. In a proactive hunt for possible unknown misconfigurations, it was revealed that cloud users mistakenly configured Security Groups and VPCs with IP ranges they believed were internal, but were actually publicly exposed to US cellular networks and potentially for malicious actors. Such issues blur the lines between customer and cloud vendor responsibility, as customers are responsible for configuring their own networks, but cloud providers can easily assist in mitigating such misconfigurations.
To evaluate this new misconfiguration and the possible critical risk that is associated with it, we purchased a T-Mobile lookalike private IP address for just a few bucks and implemented it over ProxyChains and NMAP to lookalike the private IP range and scan for open services across AWS ASN. This presentation will highlight the security risks of lookalike IP addresses in cloud environments and introduce a new community-driven framework called CloudHunting, which uses Sigma rules mapped by MITRE ATT&CK to proactively detect such misconfigurations that could lead to threats, including this newly identified one.