The past couple of years have seen a rise in software supply chain attacks, with the most salient example being the Solarwinds attack. As production environments have gained multiple layers of protection, and much of the attention of security teams, malicious actors have set their sights on “poisoning the well”, i.e., target where applications are developed or their building block components. But what does this mean for cloud native? Are cloud native applications more susceptible to supply chain attacks? Let’s try to answer these questions, using examples from Aqua’s Team Nautilus cyber research findings from attacks observed in the wild.
In April, MITRE published the ATT&CK matrix for Containers covering adversarial techniques that target container technologies. At Aqua, we were proud to support this effort by sharing our knowledge and helping refine and extend the matrix. As for the risks in Kubernetes, Microsoft created a framework for Azure-based environments (AKS), but what about vanilla K8s? We incorporated techniques that Aqua researchers have observed in real-world attacks and developed our own dedicated threat matrix for Kubernetes, mapped to the MITRE ATT&CK Framework.
Insufficient access restrictions, permissive storage policies, and publicly exposed assets are only a few of the mistakes companies make when configuring their cloud infrastructure. The scale of the problem is mind-blowing, with 90% of organizations being vulnerable to security breaches due to cloud misconfigurations. Aqua’s Cloud Security Report sheds light on the most common cloud configuration issues in real production environments.
A recent security incident disclosed by Codecov has again placed the spotlight on supply chain attacks. Looking at the details of the incident and how the system operated, it’s clear that organizations should make changes to how they use third party services as part of their Continuous Integration (CI) pipelines. So what can you do to reduce the risk of this occurring?
Java Debug Wire Protocol (JDWP) is a great way to remotely debug applications during development. However, if enabled when shipped to production, hackers can exploit this mistake by running an arbitrary code that allows initial access or privilege escalation in your production environment. Using Aqua’s Dynamic Threat Analysis (DTA) scanner, we at Team Nautilus detected dozens of misconfigured container images in Docker Hub, which belong to large organizations and may expose them to severe risk when running in production. In this blog, I will show how attackers can exploit this misconfiguration and explain the threats to containers and Kubernetes.
In September 2020, Aqua’s Team Nautilus detected a campaign that targeted the automated build processes of GitHub and Docker Hub. At that time we notified the affected services and they blocked the attack. Now, this campaign has resurfaced with vengeance. In just four days, the attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources for cryptocurrency mining.
Last week, TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. In this blog, I will explore these container images and what they were designed to do.
A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file. In this blog, I’ll go over how this CVE can be exploited, what sudo versions are affected, and how to mitigate the issue.
It has certainly been a rough year and just as life constantly evolves, so do cyber threats. So, here are a few blogs by our cyber security research group, Team Nautilus, that got the most attention from cloud native security professionals. These blogs highlight how attackers continue to get more creative over time, as we cover container image exploitation, fileless malware, Kinsing malware, sophisticated evasion techniques, and much more.
A year of challenges isn’t quite over yet, as a new vulnerability was found in containerd, . When exploited, after providing a connection through the container to the host network, an attacker can gain root privileges on the host. This vulnerability was disclosed by Jeff Dileo of NCC Group, our investigation by Team Nautilus is aligned with his findings.