Javier Godinez

Javier Godinez is a Principal Security Engineer, Red Team Founder and Software Developer at Intuit. He has been working in the Cloud security space for the last five years and has developed a number of applications for testing the security of Cloud deployments and patterns for operating in the Cloud securely. He has previously worked for SAIC and SSC San Diego delivering unique security platforms to support cybersecurity. Javier is a Certified Information Systems Security Professional (CISSP) and Certified AWS Solutions Architect.

Cumulus – A Cloud Exploitation Toolkit

Day 2 - 18th Oct 10:30-11:20 Hall 1 Advanced

There is a lack of tools for testing the security of Cloud deployments; The Cumulus Toolkit is an attack framework for exploiting the Cloud’s weak points. This talk covers AWS basics, IAM security, gaining a foothold and pivoting in the Cloud and demonstrates how to escalate privileges using the Cumulus toolkit.

The Cloud enables software projects to speed up development because it allows developers to provision infrastructure and make configuration changes to their networks without much friction. This ease of deployment was but a dream in the age of the traditional datacenter. However, the Cloud also brings new attack surface which needs further exploration. Cloud Identity and Access Management (IAM) services (such as Amazon’s) are primary targets for attackers as these typically control access to hundreds of API calls over many services.

Over the years there has been various discussions around cloud security, e.g., Pivoting in Amazon Clouds (2013), and few tools have been developed to enable testing the security of Cloud deployments. These tools are standalone, have not attained wide adoption, and/or have not made it into widely adopted toolkits. To fill this void, we have developed the Cumulus Toolkit. The Cumulus Toolkit is a Cloud exploitation toolkit based on the Metasploit Framework. We chose Metasploit because its wide adoption and its wealth of existing features.

The Cumulus toolkit is a set of modules and techniques that can be used perform privilege escalation, account takeover, and to launch unauthorized workloads. To illustrate security concerns resulting from lax IAM policies, we present the Create IAM User module which can be used to create a user with administrative privileges. To perform complete account takeover, an attack that we’ve seen in the wild, we present the User Locker module which is used to lock out all legitimate users out of the account. Finally, we present the Launch Instances module which can be used to launch Cloud hosts on demand.

Slides