Profile avatar
frichetten.com
Staff Security Researcher @datadoghq | DEF CON/Black Hat main stage speaker | he/him | OSCP OSWE | I turned hacking AWS into a career | Tweets are my own | Created https://hackingthe.cloud
198 posts 1,290 followers 238 following
Prolific Poster
Posts 45 Comments 5

Last May we shared our research on using AWS non-production endpoints for a variety of attack scenarios against AWS environments. These endpoints are easy to find and provide options for an adversary to evade detection. More recently, we have partnered with AWS to find 1/x

submitted 1 day ago • 1 comment

Weird little bug that's now fixed: The FIPS endpoints for Comprehend Medical omitted the user agent and IP info of the caller in CloudTrail. Instead you'd only get "AWS Internal". Goes to show, a lot of little things can slip through the cracks with CloudTrail. hackerone.com/reports/2979...

submitted 2 days ago • 0 comments

Messages like this always warm my heart. Cloud security research is all about improving the safety and security of the platform to protect users.

submitted 3 days ago • 0 comments

See you all in Denver!

submitted 9 days ago • 0 comments

T-Minus 15 minutes until tickets go on sale for the best cloud security conference on earth! They'll sell out fast so don't miss it. If you do, you have a second chance in 12 hours! buff.ly/4hXjTnn

submitted 9 days ago • 0 comments

It could be my code but it looks like there was a massive spike in new AWS API endpoints. For reference, this service has been running in the background for months and hovers between 0-200. I've never seen it randomly shoot up this high. I'm guessing new or beta service?

submitted 10 days ago • 1 comment

Major shout out to @flekyy90.bsky.social for TrailDiscover! (traildiscover.cloud) it’s been an incredibly useful tool for finding real world AWS incidents by API call and TTP.

submitted 14 days ago • 0 comments

Need to hack thousands of AWS customers? What about on internal AWS systems? Datadog Security Research found that a number of tools, including one published by AWS, are susceptible to name confusion attacks, leading to RCE in vulnerable environments! securitylabs.datadoghq.com/articles/who...

submitted 15 days ago • 1 comment

Good news! AWS has released some examples on how to block the misconfigured OIDC role attack. This has been a prevalent topic for researchers the past two years as numerous services can be affected. I spoke about this at DEF CON when the Amplify service was vulnerable. github.com/aws-samples/...

submitted 20 days ago • 1 comment

If you’re @wildwesthackinfest.bsky.social and want to chat about AWS, security research, Datadog, or just want a Hacking the Cloud sticker, come find me in the upper lounge area of the lobby. I’ll be here for the next hour submitting some bugs to the AWS Vulnerability Disclosure Program.

submitted 20 days ago • 0 comments

Cary Hooper presenting “A Journey From Alert(1) to P1” @wildwesthackinfest.bsky.social!! Showing some cool tricks with XSS

submitted 20 days ago • 0 comments

Thanks everyone for attending my keynote @wildwesthackinfest.bsky.social!! Come find me for a Hacking the Cloud sticker (while supplies last). I’ll be hanging around the con.

submitted 21 days ago • 0 comments

@wildwesthackinfest.bsky.social let’s gooo!!! See you all tomorrow!

submitted 22 days ago • 0 comments

Ever wish your office had views of beautiful mountains? Then I’ve got an opportunity for you! Datadog has a number of open positions in Sales and Engineering in our Denver Colorado office! That includes an open Staff Software Engineer position within Security Research! careers.datadoghq.com/denver/

submitted 22 days ago • 0 comments

The CFP for the best cloud security conference on earth is now open! If you'd like your research to be presented alongside the cutting edge of the industry, this is your opportunity! fwdcloudsec.org/conference/n...

submitted 23 days ago • 0 comments

Misconfigured GitLab OIDC roles in AWS can let attackers assume roles without restrictions. This post walks through exploiting these misconfigurations step by step and explains how AWS’s default console settings can lead to vulnerable IAM roles.

submitted 30 days ago • 0 comments

Exciting news! I’ve been accepted to speak at #RSAC 2025! I’ll be presenting “Critiquing Cloud Criminals: Ready for Smarter Cloud Attacks?”. We’ll critique the tradecraft and techniques of real world threat actors! It’s like a Gordon Ramsay cooking show, minus the accent and swearing! See you in SF!

submitted 30 days ago • 1 comment

Threat insights from Datadog Security Labs for Q4 2024 securitylabs.datadoghq.com/articles/202...

submitted 31 days ago • 0 comments

If you’re curious what all the fuss is with DeepSeek R1 and want to try it out for yourself on your own hardware but have no experience with LLMs, you can use Ollama to download and run the model. Optionally, Open WebUI on top can provide a nicer interface.

submitted 31 days ago • 1 comment

This is how I learned everything I know. School of hard knocks just keeps knocking haha.

submitted 32 days ago • 5 comments

C IS LEGAL AGAIN

submitted 34 days ago • 23 comments

Curious about the recent threat landscape in cloud security? Datadog Threat Research has you covered! Last quarter we found new threat actor campaigns, spotted attackers trying to get access to AI services, and reported new supply chain attacks. Details: securitylabs.datadoghq.com/articles/202...

submitted 34 days ago • 0 comments

A little less than two weeks before Wild West Hackin’ Fest: Mile High! There will be a ton of great talks, training, and networking opportunities in beautiful Denver CO. I’ll be speaking about my experiences transitioning from on-prem to cloud pentesting! wildwesthackinfest.com

submitted 36 days ago • 0 comments

Have a cloud product or service that you want to get in front of the movers and shakers of the industry? Then you need to sponsor fwd:cloudsec! The PREMIER cloud security conference, featuring industry-leading talks, and brilliant attendees! Details: docs.google.com/forms/d/e/1F...

submitted 38 days ago • 0 comments

With AWS’ push for GenAI, I’m surprised they haven’t built a tool for generating least-privilege IAM policies from natural language. Simply explain what your workload will do and have it generate IAM policies to match that. Have it warn you in detail when you something is risky.

submitted 41 days ago • 1 comment

After recent news of attackers encrypting customer S3 objects with KMS as part of ransomware (a technique first discussed in 2019), AWS has provided some guidance for avoiding this threat. aws.amazon.com/blogs/securi...

submitted 42 days ago • 3 comments

How about having fun with an AWS Russian Roulette using one of the most expensive AWS API calls? (About $36K per year for this AWS Shield API) You go first.

submitted 44 days ago • 3 comments

I remember ranting about this stuff in the early 2010’s - into an absolute void. There’s just no consequences for misbehaviour and consumers don’t understand it to apply pressure. singe.za.net/twitter/sing...

submitted 49 days ago • 0 comments

Exciting way to start the new year, I won a Switch from a sweepstakes. Thanks Hershey’s!

submitted 56 days ago • 0 comments

Great post from @scottpiper.bsky.social echoing what many of us have been saying for a while; OIDC is great! But easy to misconfigure, and when it is it can have serious consequences. Even AWS themselves fell into this trap.

submitted 57 days ago • 0 comments

A big heartfelt thank you from all of us at Signal to every person who has ever used Signal, gotten your friends to make the switch, and donated to support our work. It is truly an honor to build Signal for you. 💙

submitted 58 days ago • 26 comments

Lately, every BSides seems to have a talk on reframing security teams as a “Department of Yes” We don’t hear nearly as much about the value of a well-considered, strategically deployed “No” I've pulled together guidance on giving a better, more constructive No: ramimac.me/saying-no

submitted 60 days ago • 0 comments

Keep an eye out for notices - AWS RDS Protection for Guardduty seems to have had some issues collecting logs. Unclear how pervasive this was!

submitted 64 days ago • 1 comment

Interesting example of leveraging the AWS Console for phishing. I’ve seen it done with CloudFormation templates but not SSM Documents. dev.to/aws-builders...

submitted 66 days ago • 1 comment

As 2024 comes to a close it's time to look back on the year. For the first time ever "SSRF to the metadata service" was NOT the top article on Hacking the Cloud! What was? You'll have to read the post to find out :) Happy holidays everyone! hackingthe.cloud/blog/2024_wr...

submitted 66 days ago • 0 comments

Throwback to my old laptop. I think my sticker game has gone soft. New resolution for next year.

submitted 68 days ago • 2 comments

If you’re a techie (or heck a remote worker) one of the best investments I’ve ever made was in getting a second internet connection. This is the second time in 2 days where I’ve had degraded service from Xfinity. When it happens my router automatically fails over to the backup (5G Modem).

submitted 69 days ago • 1 comment

Today in cursed family tech support:

submitted 70 days ago • 2 comments

> I started vacation today > Stock market tanks Coincidence?

submitted 71 days ago • 0 comments

🔑 Azure Key Vault Contributors can't access keys... but they CAN modify access policies! More on how this can lead to unintended data access here: securitylabs.datadoghq.com/articles/esc...

submitted 73 days ago • 0 comments

Very scary report out of Serbia: Cellebrite is now being used by cops to unlock the phones of journalists they take into custody, and to then infect those phones with tracking malware www.404media.co/cellebrite-u...

submitted 73 days ago • 5 comments

🎄 I shared a lab on reviewing Azure security with KQL + Resource Graph Explorer! My walkthrough is available as Day 14 of the Advent of Cloud Security: ❄️ Calendar, Day 14: advent.cloudsecuritypodcast.tv ❄️ Full Repo: github.com/siigil/azure...

submitted 75 days ago • 0 comments

Very pleased with my recent sticker haul!! You can find them at www.etsy.com/shop/NeatSti...

submitted 76 days ago • 0 comments

Less than 55 days until Wild West Hackin' Fest @ Mile High 2025 arrives in Denver with keynote speakers, @malwarejake.bsky.social and @frichetten.com ! wildwesthackinfest.com/wild-west-ha...

submitted 76 days ago • 0 comments

New on Hacking the Cloud: Misconfigured OIDC trusting roles in AWS? Easy initial access. Eduard Agavriloae shares how to exploit IAM roles that are misconfigured to trust Terraform Cloud. As in....anyone's Terraform cloud. Happy holidays and happy hacking! hackingthe.cloud/aws/exploita...

submitted 76 days ago • 0 comments