Aqua Research Team

This blog was co-authored by Asaf Eitani    Threat actors are looking to increase their financial gain and thus deploy cryptominers which are considered easy to use and lucrative. Cryptomining involves complex calculations leading to high computation power and consequently increased CPU consumption and electricity (or cloud) bill. Aqua Nautilus found a new type of cryptomining attack in the wild. As far as we know, no one has of yet reported this kind of attack. The new cryptominer is designed to hijack network bandwidth. In this blog we explain this technique and analyze attacks we recorded in the wild.

Security practitioners often need to investigate malicious artifacts in their environments, which can be challenging if those are deleted or loaded from memory. This is increasingly the case as threat actors are weaponizing Linux kernel modules to perform and hide their attacks. In this blog, we look into kernel modules and explain why they can be dangerous, how threat actors are using them, and how you can detect and capture them for investigation with the open source runtime security tool Tracee.

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability to escalate their privileges and establish persistence in a target environment. The vulnerability can also provide another way to embed malicious code into packages.

A recent campaign by the 8220 gang, who have been known to exploit the newly discovered critical Confluence vulnerability (CVE-2022-26134), targeted one of our honeypots. This campaign has evolved over time to deliberately target containers. In this game of cat and mouse, the threat actors used some new techniques, refurbishing the scripts from one attack to another, adding new capabilities to attack the compromised host, and spreading the attack to additional hosts. In this blog, we’ll break down this attack, review its techniques, and analyze it using a runtime detection and prevention tool.

We learned about a bug in GitHub that for about five days at the end of February allowed third-party applications connected to GitHub to generate new scoped installation tokens with elevated permissions. For example, if you connected the Codecov app to your GitHub account with read-only access to your repositories, during that window the app could have created a new token with write access to them. This bug could have led to major security issues, including data loss and leaks of secrets and credentials. Since GitHub disclosed the bug only late last week, the actual scope of impact has yet to be determined.

In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud. 

When running third-party applications in your cloud environments, you inherently put your workloads at greater risk. This is especially the case when the third-party software exposes some API function to the public web. Apache Struts 2 is a popular open source cross-platform web application framework, used by many developers in their day-to-day work. Recently, we at Team Nautilus captured an interesting attack on an Apache Struts 2 container, which we’ll break down in this blog.

Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent. Since you could assign poisoned packages under any popular maintainers, we named this logical flaw and its implications “package planting”. We reported these techniques to the npm team and they fixed the underlying issue.

As companies continue to adopt cloud native technologies at a rapid pace, an increasing number of cyber threats are targeting the cloud native environment. To defend against these threats, security practitioners must stay abreast of attackers’ evolving tactics, techniques, and procedures. For its 2022 Cloud Native Threat report, Aqua’s Team Nautilus analyzed attacks that were observed in the wild over the past year to highlight the latest developments in the threat landscape.