Andrew Davis

Andrew Davis

7 posts published

Auditing identity activity for NOBELIUM and MagicWeb in AWS
Security

Auditing identity activity for NOBELIUM and MagicWeb in AWS

Earlier this week Microsoft researchers [https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/] discovered NOBELIUM abusing identities and credentialed access to maintain persistence and facilitate covert access. In AWS environments, the IAM Identity Center [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html] (formerly AWS SSO), enables