Attacking the Application Supply-Chain

$2,299.00

Duration

2 days

Delivery Method

virtual

Level

intermediate

Seats Available

20

Duration

2 days

Delivery Method

virtual

Level

intermediate

REGISTRATION CLOSED

DATE: 17-18 April 2023

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
17 Apr Monday 09:00 to 17:00 CEST/GMT+2 8 Hours
18 Apr Tuesday 09:00 to 17:00 CEST/GMT+2 8 Hours

Supply Chain risks are everywhere. We’ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. Supply-chain security and implementation is essential, and required by regulation. However, it is important for pentesters and red-teams to understand how they can leverage supply-chain attacks against applications, to further strengthen their defense implementations against it.

This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, build systems.Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS and Azure.

People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this subject-matter a lot better. This training was sold-out at Blackhat USA 2022 with a 4.8/5 Rating.

 

 

Lab Experience Video

 

Agenda

Day 1

Introduction to Application Supply Chain

  • Understanding the supply chain landscape
  • An overview of supply-chain attack vectors
  • MITRE ATT&CK framework for supply-chain compromise
  • A brief history of supply-chain attacks

 

Pre-Build Supply Chain Security

Threat modeling for supply chain – A red-team perspective

Application Dependencies – Stories and Hands-on Labs

This section of the class is where we do a couple of case studies (stories) on identifying vulnerabilities against Application Dependencies and compromising them. Once compromised, we’ll be looking at possibilities of post-exploitation and lateral movement against these dependencies. In these stories, we’ll be showcasing the following type of attacks and exploits:

  • Attacks against Client-side Dependencies:

○ Magecart-style and other JavaScript client-side attacks leading to user compromise, browser-hooking and so on
○ Attacking client-side supply chain elements by attacking private CDNs, static stores, etc.
○ Exploring additional client-side exploit possibilities with CSP Bypasses, etc.
○ Attacking CDN infrastructure like Cloudfront and S3 with CSP bypasses to perform client-side supply-chain exploits

  • Attacking Applications by compromising Server-side dependencies:

○ Leveraging vulnerable components to perform application exploits and Lateral movement. This includes:

  • Remote Code Execution
  • XXE
  • SSRF flaws
  • And more to perform exploitation and post-exploitation
  • Attacking Package Manager Behaviour against the Application Supply-Chain:

○ Typo-squatting flaws
○ Dependency Confusion attacks

  •  Exploring Defense Possibilities against all attack types showcased in the stories and exploring the defense implementations through hands-on labs

 

Attacking CI Services

Overview of CI Services
  • A brief overview of commonly used CI services

○ Jenkins
○ Bamboo
○ GitHub Actions
○ GitLab CI

 

Attack Stories against CI Systems

In this section we’ll be covering multiple attacks and exploit scenarios around attacking CI Services. These attacks specifically look at approaches where adversaries compromise the CI tools to be able to inject malicious code or otherwise taint the build process and environments of organizations. The case studies and stories that we’ll cover as part of this module include the following:

  •  Build system dependency – Attack vectors

○ Cross build Injection attacks

  • CI Service dependency – Attack vectors
  • CI based Webhook exploits
  • Vulnerabilities and exploits against Jenkins using Jenkins Plugins
  • Github Actions exploits using malicious actions and misconfigured Github actions
  • Attacking Gitlab using Templating systems and Dependency chaining

 

Day 2

Cloud-Native Supply Chain Attacks

Cloud-native environments are a massive source of supply-chain risk. With Infrastructure-as-Code, to Continuous Deployment Systems, to Cloud-native package management, there’s tremendous scope for attacking, exploiting and escalating privileges against cloud-native environments. In this section we’ll be looking at case studies and stories of supply chain security risks against Kubernetes and AWS environments as a reference point. Naturally, these will be replete with deep-dive hands-on labs that will walk you through the multi-step flaws and exploits against cloud-native supply chains

 

Attacks against cloud-native environments
  • An overview of cloud and microservices
  • A brief intro to Cloud-native environments

○ AWS
○ Azure
○ Cloud
○ Kubernetes & Microservices

  • Threat landscape in cloud-native environments

○ Common attack patterns

 

Attacking Kubernetes Supply-Chains
  • An overview of kubernetes and cluster components
  • Attack vectors in a kubernetes cluster
  • Leveraging vulnerable registry to upload trojanized image(s)
  • Compromising the cluster network
  • Helm-Chart based attacks
  • Performing Person-In-The-Middle attack to compromise package installations
  • Permanent backdoor to a kubernetes cluster through malicious packages and CRDs
  • Leveraging Kubernetes Webhooks to perform Cluster Privilege Escalation Attacks

 

Compromise AWS environments
  • Overview of AWS components
  • Introduction to AWS Lambda

○ Understanding layers

  • Compromising Lambda with excessive privileges
  • Performing lateral movement to gain access to s3 and manipulating sensitive objects
  • Compromising cloud environments through malicious executables
  • Injecting malicious scripts in s3 CDN to mine crypto – for fun and profit
  • Attacking ECR registries with faulty IAM privileges

 

Compromising Azure Environments with Supply-Chain Attacks
  • Understanding the Azure Services and IAM Model
  • Attacking Azure Function Apps to compromise underlying container infrastructure and escalating privileges into the Azure Account
  • Attacking Azure DevOps implementations for Account Compromise Scenarios

Why You Should Take This Course

Supply-Chain Security is a critical area of security responsibility, but identifying vulnerabilities in this space is a relatively new area of focus for offensive security professionals. This training aims to fix that
Through the story-driven narrative of the training, people learn more and learn better. They are able to grasp and use hands-on labs against a variety of environments from traditional to cloud-native environments
The labs have been designed with diversity in mind. The environments are diverse. The technology stacks are diverse and the supply-chain security challenges are diverse. This leads to a better learning experience for the student.

Who Should Attend

  • Pentesters
  • Red-Teamers
  • DevSecOps Professionals DevOps Professionals
  • Cloud Security Pros Application Security Managers

Key Learning Objectives

  • Potential for Supply-Chain Attacks across the Stack. Students will go from Attacking Code Environments, to Build Systems to deployment enviromments like Cloud and Kubernetes. This provides a very powerful view of supply-chain vulnerabilities through the Stack

  • Understanding the various supply chain elements and risks to those supply-chain elements for any given application

  • A deep-dive story-based red-team perspective with intricate hands-on labs, meant to encourage realistic learning and approaches that they can use from the day after they complete this training, at their job
  • Prerequisite Knowledge

    TBC

    Hardware / Software Requirements

    TBC

    Your Instructor

    Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development, and building solutions around the training offerings and consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at Blackhat USA 2022.

    Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed
    to solving the Security Skills Shortage.

    He has created some pioneering works in the area of DevSecOps and AppSec Automation,
    including the world’s first hands-on training program on DevSecOps, focused on Application
    Security Automation. In addition to this, Abhay is active in his research of new technologies and
    their impact on Application Security, namely Containers, Orchestration and Serverless
    Architectures.

    Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP
    AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like
    AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat, SHACK and so on.