Aqua Research Team

We have recently discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack. Our research suggests that this campaign is actively targeting at least 60 clusters in the wild.   

Aqua Nautilus researchers have discovered a chain of critical vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.Furthermore, these vulnerabilities could be exploited even if the Jenkins server is not directly reachable by attackers and could also impact self-hosted Jenkins servers. 

This blog was co-authored by Nitzan Yaakov Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. The HeadCrab botnet has taken control of at least 1,200 servers. 

Last month Aqua published a blog with the predictions from our Nautilus security research team regarding trends and new threats we are watching for 2023. In case you missed it over the holidays, we’ve included a link at the end of this post – it’s definitely worth the read.

This blog was co-authored by Assaf Morag Recently, a dependency of the widely used PyTorch-nightly Python package was targeted in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS. The individual responsible for this attack claimed to be a security researcher whose research had gone awry. In this blog, we will provide an explanation of this attack and how to safeguard against similar supply chain attacks.

As we think about what Cloud Native security will look like in 2023, we can’t avoid thinking about the old cat-and-mouse game cliché of cyber security. Every year new attacks emerge while new security solutions are created and old security fixes are upgraded. Threat actors constantly append new methods to the old ones, using them as part of their ever-growing toolbox. With this in mind, we asked Aqua Nautilus – our security research team – to share their thoughts on what to expect in the coming year in terms of new attack vectors in cloud native environments. 

In early October, the US Department of Justice announced that a verdict had been reached in the case against former Uber CISO Joe Sullivan, finding him guilty of two counts associated with covering up a data breach at the company. What made the Uber data breach case particularly noteworthy was that it was not seeking to recover costs or damages for those affected by the breach, which would typically be civil charges, but was filed as a criminal charge for obstruction of the proceedings of the Federal Trade Commission. This important distinction raises the bar on potential personal risk any CISO is taking on. A guilty verdict in criminal cases becomes part of an individual’s record, and penalties can even include incarceration, although sentencing has not yet been concluded in this case. Clearly, the U.S. Attorney’s office was looking to set a precedent with the Uber security breach case to discourage those in the CISO role from hiding any information that legally must be disclosed under various privacy protection laws.So now, in addition to worrying about the potential harm incidents like an Uber breach may cause to a company’s brand or to the CISO’s reputation and future job prospects, do we need to add concerns about the possibility of personal fines and jail time?  Importantly, what protections and resources should every CISO make sure are in place to avoid assuming personal risk?

Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges. The fact that someone can write to a file regardless of its permissions is a big security threat. An application of this vulnerability would be to write on the host from an unprivileged container. Keep in mind that this vulnerability is a kernel vulnerability which makes it hard, or even impossible, for user-mode runtime monitoring programs to detect this sort of file modification. In this blog we’ll show how Tracee, which is designed with a deep understanding of the Linux kernel, allows for runtime monitoring when this vulnerability would be exploited. We will detail how this vulnerability works, why it’s so unique, and how in-kernel technology like eBPF is still able to monitor writes that result from it.

This blog was co-authored by Ofek ItachAqua Nautilus discovered new Go based malware that targets Redis servers. The attack was executed against one of our deliberately vulnerable Redis honeypots (CVE-2022-0543). Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine. Therefore, the malware received the name Redigo. In this blog, we’ll examine how adversaries exploit this Redis vulnerability and use it to run the new malware. Moreover, we’ll review the attack process and recommend methods to protect against future attacks.