Nitesh Surana
Nitesh Surana is a Senior Threat Researcher with Trend Micro. After beginning his career as a SOC analyst in 2019, he transitioned to threat research, focusing on cloud native environments. He currently focuses on software supply chain attacks, cloud / cloud native vulnerabilities, threats, misconfigurations and the jazz that comes along. Primarily for his submissions affecting 10+ Azure services, he's been in the top 7 Microsoft Security Researchers during 2024, working with the Trend Zero Day Initiative.
His work on multiple Azure & Microsoft services, credential leaks of cloud threat actors have made it to conferences such as Black Hat USA, Black Hat Asia, Blue Hat USA, FIRSTCON, HackInTheBox, HackInParis, Virus Bulletin, Nullcon, c0c0n and many more. Other than computers, Nitesh is often found listening to metal music in the Himalayas.
Session
Cloud Service Providers (CSPs) have grown, established and been widely adopted with time. This growth has had its own ramifications, consequences, and a significant influence on how modern systems are built. However, due to the speed at which these services are released for public use, security practices are often left behind. We will discuss how two aligned bad security practices lead to multiple scenarios where systems dependent on cloud resources can be compromised, ranging from dangling cloud resource takeovers, to supply chain attacks. From the perspective of the infamous shared responsibility model of security, bad security practices are not only related to end users but also are associated with CSPs themselves, leading to security implications for both ends.
This talk describes and details how, on the CSPs side, the usage of Universal DNS Zones and cloud credentials used in URL parameters turn out to be security nightmares. Universal DNS Zones refer to the design decision of CSPs of using common DNS zones for all customers without any distinction on who owns the resource. This leads to a set of security issues, that can be abused to perform cloud resource hijacking. The case for cloud credentials used in URL parameters focuses on Azure SAS token abuse scenarios. Even though these bad security practices are not a novel discovery, our investigation reveals new non-published scenarios covering a wide range of possible attacks.