Aqua Research Team

Last month Aqua published a blog with the predictions from our Nautilus security research team regarding trends and new threats we are watching for 2023. In case you missed it over the holidays, we’ve included a link at the end of this post – it’s definitely worth the read.

Recently, a dependency of the widely used PyTorch-nightly Python package was targeted in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS. The individual responsible for this attack claimed to be a security researcher whose research had gone awry. In this blog, we will provide an explanation of this attack and how to safeguard against similar supply chain attacks.

As we think about what Cloud Native security will look like in 2023, we can’t avoid thinking about the old cat-and-mouse game cliché of cyber security. Every year new attacks emerge while new security solutions are created and old security fixes are upgraded. Threat actors constantly append new methods to the old ones, using them as part of their ever-growing toolbox. With this in mind, we asked Aqua Nautilus – our security research team – to share their thoughts on what to expect in the coming year in terms of new attack vectors in cloud native environments. 

In early October, the US Department of Justice announced that a verdict had been reached in the case against former Uber CISO Joe Sullivan, finding him guilty of two counts associated with covering up a data breach at the company. What made the Uber data breach case particularly noteworthy was that it was not seeking to recover costs or damages for those affected by the breach, which would typically be civil charges, but was filed as a criminal charge for obstruction of the proceedings of the Federal Trade Commission. This important distinction raises the bar on potential personal risk any CISO is taking on. A guilty verdict in criminal cases becomes part of an individual’s record, and penalties can even include incarceration, although sentencing has not yet been concluded in this case. Clearly, the U.S. Attorney’s office was looking to set a precedent with the Uber security breach case to discourage those in the CISO role from hiding any information that legally must be disclosed under various privacy protection laws.So now, in addition to worrying about the potential harm incidents like an Uber breach may cause to a company’s brand or to the CISO’s reputation and future job prospects, do we need to add concerns about the possibility of personal fines and jail time?  Importantly, what protections and resources should every CISO make sure are in place to avoid assuming personal risk?

Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges. The fact that someone can write to a file regardless of its permissions is a big security threat. An application of this vulnerability would be to write on the host from an unprivileged container. Keep in mind that this vulnerability is a kernel vulnerability which makes it hard, or even impossible, for user-mode runtime monitoring programs to detect this sort of file modification. In this blog we’ll show how Tracee, which is designed with a deep understanding of the Linux kernel, allows for runtime monitoring when this vulnerability would be exploited. We will detail how this vulnerability works, why it’s so unique, and how in-kernel technology like eBPF is still able to monitor writes that result from it.

Aqua Nautilus discovered new Go based malware that targets Redis servers. The attack was executed against one of our deliberately vulnerable Redis honeypots (CVE-2022-0543). Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine. Therefore, the malware received the name Redigo. In this blog, we’ll examine how adversaries exploit this Redis vulnerability and use it to run the new malware. Moreover, we’ll review the attack process and recommend methods to protect against future attacks.

The OpenSSL project has pre-announced a new and critical severity vulnerability, which was downgraded to High as of today, Nov. 1, 2022. The initial pre-announcement blog has been updated here to reflect additional remediation guidance.

A new vulnerability in the Apache Commons Text library indicates that attackers can perform remote code execution (RCE). The media rushed to create hype around this vulnerability, comparing it to the infamous zero-day vulnerability Log4Shell, which emerged late last year and was broadly exploited by attackers. However, it’s too soon to say whether this new vulnerability has the same vast impact on production environments and if attackers can as easily exploit it. So far, we haven’t seen in our honeypots any indications that this vulnerability is actively being used in the wild.

We at Aqua Nautilus have discovered that npm’s API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them. This kind of attack is linked to a broader category of supply chain attacks. Over the past few years, we’ve seen an increase in the volume and variety of such attacks in the wild. In this blog we’ll dig deeper into this issue and demonstrate how you can mitigate the risks.