Cloud Native ChannelUnbreakable Cloud: Building the Foundation for Cloud Native Runtime Security
This session lays the groundwork for understanding runtime security in cloud native environments. We will explore the architecture of cloud native systems, the unique security challenges they present, and the key concepts required to protect workloads at runtime.
Attendees will gain insight into the current cloud native threat landscape, including advanced malware such as HeadCrab and Kinsing, along with other targeted threats against containers and Kubernetes workloads. We will highlight the critical role of runtime security in defending against these attacks and introduce the work of Nautilus, Aqua Security’s dedicated cloud native research team, which is advancing threat intelligence and helping organizations build stronger defenses.
By the end of this session, you will understand how to establish a robust runtime security posture, implement proactive measures, and design well-architected security strategies to protect applications, infrastructure, and data in dynamic cloud native environments.
Attendees will gain insight into the current cloud native threat landscape, including advanced malware such as HeadCrab and Kinsing, along with other targeted threats against containers and Kubernetes workloads. We will highlight the critical role of runtime security in defending against these attacks and introduce the work of Nautilus, Aqua Security’s dedicated cloud native research team, which is advancing threat intelligence and helping organizations build stronger defenses.
By the end of this session, you will understand how to establish a robust runtime security posture, implement proactive measures, and design well-architected security strategies to protect applications, infrastructure, and data in dynamic cloud native environments.
Transcript
Hello, everyone, and welcome to part one of our three part series on run time security.
My name is Joe Murphy with aqua, and today we're gonna have some fun talking about the run time security threat and landscape. Establishing the foundation and unique challenges of runtime security and cloud native.
Now, this is a three part series. If you haven't registered for part two and three, please do so. We'd love to have you throughout the whole series as it helps to paint the full picture.
And before we get started, quick agenda and some housekeeping.
We are going to set the stage with what is cloud native and why is it different?
Understanding the cloud native app life the dynamic cloud native threatened landscape, and we're gonna take a deep dive into a really interesting in malware called Kinsing, and we'll wrap up with key takeaways.
From the reminder, the session is being recorded. You're gonna see a survey at the conclusion of today's session with two questions.
So please fill those out, and we encourage you all to engage in the conversation.
So let's let's get the check going now. If you want to let us know where you're joining from today, and everyone in attendance, as a token of our appreciation, is gonna be the first to receive a copy of our twenty twenty four cloud native threat report from Aquanatos.
So without further ado, Joining me today. We have the man, the myth of the legend, Mr. Matt Richards, awkward CMO. Matt.
Thanks for joining us today. I'll let you take it away. Awesome. Thank you, Joe. Welcome to Houston, Northern Virginia, Maryland, and anybody else I might have missed.
Welcome to, our webinar today on really the first set of the foundation for runtime security. I'm, so my name's Matt.
I've been Aquasimo for a little over two and a half years, but also, I feel like I need to say that, I come from an engineering background of all things. So, I I am, gonna talk a little bit about Kinseng and and exactly where came from as we run through this. So let's set the foundation. Right? What are we here to talk about?
We're here to talk about what's happening to applications today. And at the highest level, home, whether you call a digital transformation, cloud transformation application modernization.
Whatever that is at the highest level or talking about moving from on prem to this hybrid, on prem and cloud or multi cloud or both.
And, whether you call up one of those initiatives, chances are you're running through exactly that in your, in your infrastructure, in your environment, in your applications. And you're moving those applications as part of that, that transition. And and we keep we use the word around to your cloud. Everyone knows what it means.
And the key to the cloud native word to me is containers. Right?
If you are building applications to deploy in containers, then you are building cloud native applications. But, of course, there's a lot more to it than just that but that is one of the largest indicators.
You could be talking about Lambda, right, functions, on Amazon or, Fargate, right, which is containers as a service. If I another word, you can be looking, you're probably assembling third party code and open source code. Your, in your software supply chain leading into containers.
But containers are a really big indicator.
And so are many of the of the, technologies on this And but when we say cloud native, this is what we mean.
And the whole reason companies are undergoing this transformation is because cloud native is fast It's it's more agile. It lets you deploy your applications, much faster in microservices, componentized infrastructure, microservices, that allow you to combine, almost applications and almost like molecules. Right? Each component is a different is developed in a in a different pipeline potentially, is deployed in a different schedule and is managed independently of all the others, but they come together as an application might have traditionally called it in this in this molecule.
And it's faster. Why is it good? Cause you can replace a component, not the whole thing. Monolithic, not so much the case anymore.
It's now more about native, cloud native, applications that are these combinations of microservices. And the challenges is it's super complex.
So when we look at these transformations that companies are on, undergoing, our customers, they usually are on prem, whether it's a Kubernetes Open Shift, TENSU plus cloud.
So they might be using AWS and Azure.
And then there's a a range of services. So maybe they're using AWS fargate, but they're actually using Microsoft to host virtual machines to as nodes in their, in their Azure Kubernetes deployment.
Or, right, they're they're on prem just getting started. And it's usually on prem plus one or two or maybe more of these cloud.
And the complexity of this is a mess. You know, one could think of each of these boxes as as a type of deployments, right, in a particular location. And then each of these littler boxes is one of those microservices that get not knitted together. And It's incredibly complex, and this transformation that all these businesses are ongoing in this migration needs to be kept secure.
And this complexity makes it worse because the attack surface is now different. Instead of one monolithic attack surface, you have a bunch of little attack surfaces that are constantly evolving. Microservices come up, they go down. Containers come up, they go down. And as as the attack surface evolves, right, so must the security underneath it to keep, the business to your risk manageable.
So this trans this cloud native is complex. Right? It's faster. We know that. We can get more deployed faster, more agile business press a more agile support of the business. It's complex.
And it's also completely different. I alluded to some of this already.
But the cycle time on a traditional application, you know, but just not that long ago, we were building applications of like twelve weeks. We thought that was fast. And here are you the plan code build test. That's the CICD pipeline.
Normally, it represented as a as a infinity loop. In this case, we just stretched it out straight to make it easier to understand what we're talking about. And the cycle time on a on a new release used to be maybe twelve weeks. You had some open source code.
Right? Some quite a bit, actually, even just ten years ago, somewhere around seventy five percent.
But a lot of times you are running that application through a single pipeline.
And it was more monolithic in in nature. And you had a few VMs. Right? Okay. You might have a load balancer and then, I don't know, five application servers out front, and then a data layer and a storage layer and a couple of redundant virtual machines there, and that was your application.
It was all kind of self contained. And you had a like, three months before maybe the next version was released. Three dot one would come out. And then in three months later, you might see version three dot two. And it was pretty static.
And pretty well prepared. You could you needed to plug firewalls in and and load balancers and set up your DMS and all that stuff. Right? That that was that was how we did it. These days in cloud native are very different. A cycle time, you know, Amazon's releasing, a a new bit of code into their cloud every fifteen minutes.
Ninety six percent of the code that's being released today is open source.
And what's more troublesome, but also amazing at the same time is this everything is code. So you're writing your infrastructure as code. For example, the developers might be writing out the infrastructure they need. It used to be that would go to an architect, which would then go to a firewall team and a networking team that would configure it for you. Now it's written as code, and interpreted by Kubernetes at runtime and virtually set up.
And now because it's microservices instead of one monolithic pipeline, you you might have twelve different pipelines all combining, and to maybe a hundred and fifty containers.
Which of course leads to a ton of alerts and alert fatigue.
That time to live might be twelve hours. A typical container only lives twelve hours.
And so they're called ephemeral for this reason, transient, perhaps.
They might go up and down. Right? So you might have it for twelve hours and then it goes away, and then it lives for another twelve hours later this week. But Instead of living for three months, it's in twelve hour increments. And that attack surface as a result is highly dynamic.
Because the service that was up for twelve hours is no longer there. If you manage to compromise it, your compromise is no good. In fact, it's very common for banks and others to rebuild their entire cloud native or application every morning from scratch. Just in case someone got into The application was able to compromise something.
It is reset out of the gold master every morning. Yeah. Insane. Right? Can you imagine redeploying your applications every morning? But I I promise you, but we have customers who do this.
Because it's easier. And by the way, they also reset all of their keys. Just in case someone managed to compromise one of their keys.
Every time they reset that environment. And that's part of, part of part of what's the differences between typical application development that we would have come to expect over the years. And cloud native.
And it's so complicated. This is one of my favorite Gartner quotes lately is that ninety nine percent of the cloud security failures that we're gonna see as folks shift to the cloud in these transformations, ninety nine percent of the failures are gonna be the customer's fault because it is so complicated and dynamic.
And variable.
And this this starts to get it. Okay. So start to understand the complexity of the problem.
Okay.
What are people doing about it? Well, as you might imagine, bad actors have a habit of moving to where the defenses aren't. And so over the past few years, bad actors have been shifting their efforts to where the, where the treasure is, production, containers moving into production, and also where the defenses have maybe been a little bit more lax over the years. So they're evolving their attacks.
The attack volume growth in our own nautilus research team, which Joe talked about a little bit a moment ago, and I'll I'll actually allude to more about the Nautilus team in a minute. I'll talk about it. We saw an increase of forty eight percent year over year in attacks on cloud native infrastructure, specifically on cloud native applications.
Eight percent year over year is fifty percent growth, basically. And what's happening, because bad actors to go to where the security isn't so strong, is that The agentless approaches to cloud native security, which have, in many ways, been debunked, still necessary, but they're not really security. Right? The because the attackers are able to drop in memory attacks.
That number has increased fourteen percent year over year an in memory attacks because your your, Nate file, your agentless security tools cannot see those attacks. They're never written to disk.
So we're seeing a massive increase in those attacks specifically.
And then, of course, they don't come in and leave. They're gonna leave a backdoor fifty percent of the time. Some, that means later they can come back and get easier access. Because they may not x fill data. They may not take, a bad action today. They may just leave it for tomorrow.
And fifty four percent of the time, even if they do take a bad action today, they're coming back and then words.
It's no longer, obviously, if you can infect one machine would really like that machines help to infect everything else on the network, and that's exactly what the worms are trying to do. And I'll show you that. KinsengX is really interesting. To to see how the attack, the attack tree fans out. And then attackers can scan the entire internet within an hour. Let me tell you a quick story, a customer of ours, an hour.
Well, we, there was a, a developer, that deployed a, a virtual machine.
And that virtual machine was secured and and to standards, but the password left for access was relatively generic, and it was brute force within ten minutes.
And there was a, there was a Bitcoin miner installed on that machine in ten minutes. So it's not even an hour. You can think that's the max if they you can they can find you in ten minutes.
And that was not a honey pot. Right? That was an actual machine.
For developer use.
So it shouldn't have been that easy to find, but it was. So ten minutes. So bad actors are evolving. They're getting more sophisticated as well.
Here's a question for you. I'm gonna throw this out there. Sixty four percent, and this is a and I'm gonna ask you what you might think sixty four percent is what?
I I think sixty four percent of sees those losing their hair might be a little low, but I'm just just hinting.
But, if you guys will click through and answer that, just to get a sense for it, and then I'll tell you what it is.
Alright.
Alright. Let's share the result. So what I let's share the results. The sixty four percent of bad actors, so in a recent survey of security professionals who were seeing an an increase in attacks on their environment, sixty four percent of the CSO survey were attributing the increase in attacks to the use of generative AI.
And the interesting thing is generative AI isn't just a really good, phishing email. Right? It's also being used to generate code. So we are just seeing the tip of the iceberg on the attacks, that are stemming from from AI. And even now, that's a huge number considering how relatively new generative AI is just the way that's gonna get worse. So I love that number. Alright.
Attacks used to be simple. Alright. I alluded to this. Right? Okay. I'm gonna get access somehow.
I'm gonna deploy malicious container, and it's gonna run a crypto payload. And by the way, this is how some of our customers came to understand they needed us. They noticed their Amazon bill was somehow twice what it had been before. I'm sure you've heard the stories.
It's now running a crypto payload.
Why is it so expensive? Because someone is stealing your CPU hoop. Right? Fine. That was before.
It is increasingly complicated. Now, it's forces many methods to gain access.
And they're dropping binaries. They're not just dropping one crypto miner. Right? They're dropping a lot.
They're not just dropping either they're also in communicating with command and control servers and others inbound and outbound communication. They're they're scanning. Right? This is the worms or or looking to to look across a network and the really smart ones aren't even scanning.
They're going to the local trusted host file on the server that was compromised and not scanning because scanning can be seen as, a tool to isolate a bad actor on the network. Right? So that might trigger a, that might trigger a network alert. Right?
But if you're not scanning, but you're looking at the trusted host file on the server, now you can get the same data without making it clear that you're looking for other service to compromise.
Excellent trading sensitive data. Of course, double. Of course, we like to we can talk about, the, the, the, double, like, the double extortion now. Right?
It's not enough to, to pay to get something unencrypted data back. It's also we're gonna get to pay us to unencrypt the server, but then you also have to pay us, or we will release this online. Like, we're seeing attackers get way more complicated. And that's more ransomware, but it's, it's a, an adjacent field, but it's happening.
Targeting cloud accounts, of course, because if I can get into your cloud I can see all of that wonderful digital transformation application, components, at work, and naturally evading to tech root kits and other things that are being deployed to evade detection.
So it's getting complex. And just to give you a view, right? There's, sort of these four layers, we like to say. And we'll go into this more in the future. But, on this particular webinar, supply chain attacks, yes.
Probing for misconfigurations? Absolutely. Because that's a way in. Volor abilities, though, still, a big component of how how you might break your way. But once you're in, Hey, you're gonna download an exploit.
Send the addresses to the attacker to for other attacks. Probe for Docker demons that might be open or or other, other other APIs that are accessible. You know, connect to Kubernetes that launch images of your own. We'll talk about this when we see Kinseng. This is exactly what they're trying to do.
Ultimately, wanting to elevate privileges so they can get to the next level.
Getting access to the host, adding that backdoor of connecting the command and control servers, sealing secrets, stealing keys, earning coin minors. In fact, in Kinseng, one of the latest, evolutions is Kinseng is now starting to seal. Secrets.
And this is, this is, the, the looney tunables, can sing vulnerability and attack that we found, a little earlier this fall. And, of course, running the Bitcoin Myers is still still a big one. But this is how a typical attack unloads.
And the reason we know so much about how this works is, part of Aqua, we call it nautilus. My promise I talk about aqua nautilus. Aqua nautilus is our cloud native research team. This is what they do for a living. And what you're seeing on the left here is, is a, a representation of the attack traffic on our network of honey pots around the world. So it's over a month. It's three quarters of a million attacks.
And a hundred thousand IPs from fifty seven on fifty seven different ports across a hundred fifty three different because we'll deploy these honey pots. Right? We'll, we'll deploy misconfigured or vulnerable systems on purpose as that's a honeypot's job is to attract an attacker. And then, of course, as you know, they get scanned and found and attacked.
And that's done across twenty one regions. And our team does nothing but watch these honey pots and study and understand the real live cloud native attacks today.
And that's part of what makes them such a unique asset for us. And that's how we can say some of what we say, with authority because we we know from our exact research, how these systems are being compromised, because we watch it happen. And, of course, working with our customers.
So here's just some examples, eighty two twenty on the left. We have the team TNT in the middle team TNT also on the right. And and it's just an attack tree. This is this is what Achonautilus is helping us understand because if you understand this, then the mitigation in runtime to protect against this can be very clearly defined.
And so this is what Aquanalysis is helping too. Right? They're coming to understand these attacks and feed it in. And so some of the research and data, and I'll show you one very specifically in a minute on Kinseng.
So what are we seeing? What is this team seeing? I promise you talk about, you know, what is claudine and then what is happening in the attacks? Okay.
Well, aquanol is a study in the unknowns. Right? I like to think of this as an iceberg. And above the water, you have what you can see.
But the known threats, you know malicious IP addresses. You know malicious URLs. You can keep them out. You can keep access to those URLs out.
You know malware so you can pattern a match and scan.
You know root kiss, and you actually maybe know what that looks like. Okay. So maybe you can either keep them out or identify when a rootkit has compromised the system.
You know what a cryptid wallet looks like, but what you don't know are a lot of the unknown threats And what's TeamT doing next? What's the next application that Ken Singh is targeting? And what's that? Or what's group ADD twenty doing or even headcrab?
We can go into those in a little bit more detail. So you know exactly what I'm talking about. So Kinsing, targeting eighty six applications right now. Kinseng is a particularly nasty piece of metal where I've been around for years, and I'll go into a, an attack tree of a typical Kinseng attack in a minute.
Actually two of them. But it's been targeting applications over the years, and it is mostly trying to deploy Bitcoin miners. And more recently, it started to, it's a Bitcoin miner and it's a worm. Trying to work across an area.
And it's also more recently trying to grab secrets. And this is an evolution of Kinseng. And this is what happens, right? The the threats of the various, actors we evolve while Kim Singh is a well known, a well known, three actor, if you all well known, form of malware.
Team TNT. This is a team of folks. What's interesting too is that Kinseng and team TNT are related. Team TNT put out a put out a ton of malware over the years, and then they put out a social post not too long ago, two years ago, two and a half years ago.
And they said, okay, we're done. And while the party's good. Right? We're done. And they disappear for two years.
But what we're seeing is that attacks that fit their profile are coming back.
And generally what they're doing is they're dropping dozens of files in a single attack, just trying to, overwhelm and compromise the system. And what's really interesting is some of the Kinseng code is actually used by Team T and T, which is pretty common. So it's almost like open source for attackers. They're sharing or they're finding and and, borrowing code because that code works so well. Well, TMT is starting to leverage some of the Ken sync code and has over the years. Headcrab. This was a piece of, of malware that we found.
This was something we found our our none of this research team found it. It was attacking Redis servers.
And it was a state sponsored attacker. And, wasn't just like a one and done thing. Yes. We found it. Yes. We worked with Rhetta. We did a whole press release on this whole blog about it.
What was interesting about it, though, right? If, you know, it's a reference to an older game where the headcrab lands on your head and turns you into a zombie. Well, that's kind of what was happening to the redis servers. So that's the name headcrab.
And What was really interesting about it though was that in the comments, when we reverse engineered the code, there were comments in there, almost like a little blog from the developer. And in there, after the first round, they started to drop, he or she, started to drop messages to aqua security, quite literally, mentioning us by name about what and why he was doing this, how it was a state sponsored act. So it wasn't illegal, and he was basically trying to make money. And and so it was an interesting conversation.
Of an entirely new, form of malware we hadn't seen before.
And then the last one here is this group eighty two twenty. These are the guys that that attack how many pots very quickly.
Another, ransomware or, excuse me, another, cyber, team, if you will, that is that is very active and very quick. With their honey pots. But I promised a little bit more on Kinsing. So what is it? Right? It's Mallar.
At the first scene, maybe half a decade ago, And it's been adapting and evolving over the years. That's why there's so many applications that, are compromised, with Kinseng. And it's adapting to new vulnerabilities in application. So earlier this year, and we'll talk about it in a little bit.
A couple of examples of exactly where that happened and how they're getting in. Docker was pretty popular early on And, others apps have been added over time. Most most, most recently was, the open part, which we'll talk about in a minute. And then cyber security experts.
Like, the thing about the TTPs for for Kinsing is that they they keep evolving.
And like I said, and we'll talk about it in a minute. The latest one is a little bit more interesting. So what is what happens? Alright.
Kinseng. What happens? Well, in this case, this is, one of the earlier Kinseng taxes is something that Nautilus puts together for us. And the team Nautilus, aqua Nautilus, was able to track and trace the attack.
Okay. Let's run through it. Right? Pincing attacker comes in through, an open API port in the Docker.
Okay. And then they're gonna run their own container. Uh-huh. So they're grabbing a container and they're running it.
Maybe a new one, actually. In this case, they're not downloading it first. This is a new container, which itself then downloads shell script. What does Shall script here.
It's downloading it from that address that starts with one forty two. That shell script does what? Well, it's it's a d dot s h and it downloads the Kinsing malware, and it adds itself to Kron tab. Now, you guys probably know Kron tab is is is the Chrome job scheduler.
So you can make sure that that shell script is run every hour for the rest of your life if that server is running. For example, that makes sure that it persists.
And then you're downloading the convincing malware from the IP address.
And it's also, once it grabs the malware, It's going to hash it and add it to claim AV, which means the anti virus, the typical claim AV, right, is the open source antivirus scanner. Sitting on most Linux systems will now no longer recognize it as a threat because it's been added as safe.
So it it it's persistent in running the shell script and the malware is now allowed to remain on the system. Then it's gonna download the lateral movement script. This is that whole worm action. Right? It's gonna down download a lateral movement script.
It's interesting though is that when it runs that lateral movement script, it it may or may not actually scan the local network.
More recently, it's been, been actually been reading the local host file, right, which the to where to the trusted hosts nearby. And instead of scanning, it then gets IP addresses and connection credentials from that. And so it's looking for credentials. It's also downloading a cryptominer. As we said, that's one of Ken Singh's primary efforts in the world is the is to cryptomine. And it's gonna add that to claim AV It's gonna add a hash of that to claim a feed and carry route on running as long as as long as as long as it can, Ken Sing will talk to the command and control servers.
And then the lateral movement script will try to move its way across the organization and try to find other credentials and keys.
And then run-in an SSHH connection to those other servers and try to move itself.
So, I mean, that's that's a pretty complex form of malware. That's what Kenzing it's an interesting attack. Now, more recently, this is an older can sing attack, but still, the more recently, it's a very simplified version. Of a simpler, a similar campaign flow against open fire. Now this this is in April, I think, vulnerability, CVE, obviously, twenty twenty three the year of twenty three. So last year, on Open Fire, and this is something we blogged about back in August. But the attacker finds a vulnerable Open Fire server, right, and and they're dropping a jar file this time on Open Fire.
And they're creating a new admin that's now in web shell. And now they can do everything we just saw. So this is a very quick version. It says dropping and running can sync up. Absolutely. But is it dropping around convincing and where is it getting it? And then is it adding it to claim AP?
And then it's also probably trying to, work its way across the network. So imagine exactly the same things, but now happening with Open Fire.
Really interesting evolution. And most recently, the Looney Tunables version of this the differences, not only is it trying to run malware, and grab a cryptominer is trying to grab secrets.
Kinseng is evolving and getting smarter and more sophisticated, and it's a real time attack in runtime on live systems.
And it is what we at aqua, are designed to protect you against. Kenising is just one example. So next question, Hasn't been very interactive so far? Next question. Seventy five percent. What does that mean? Seventy where do the attacks occur?
And I always like to say, so where are the where is the data stored? Where are the transaction house? Where do things happen? Well, they happen.
Insertient so here. There you go. Alright.
So what we're seeing is You're right. They happen in production. Seventy five percent of attacks on enterprises happen in production. Why? Because that's where the good stuff is. Of course, that's where it happens. So you have to make sure that with all of these threats, things like can sing out there.
With all of these threats, Kencing is just one that you're protected in real time and run time because ultimately That's where you're compromised and that's where the rest of your business is the largest. So with that, great, Matt. There's all these attacks. How do we defend against them? Well, let me say this. You can defend against them.
This is what we at aqua do for a living. But this isn't about that. I'll leave that to some of our upcoming. How do you defend against these attacks?
And we'll go from there. Okay? So to bring this home, we talked about, like, containers are a big indicator of cloud native. If you're working containers, you need a container security you need a cloud native application security solution.
The attacks focus where the defense is the weakest What you've seen, and that is including in memory attacks. That's why it's been up by fourteen nine percent year over year. Run time security is critical because it's the last line of defense before you lose.
So these are the key takeaways from us. I wanna plug the next one, runtime security series, securing cloud native environments. This is the second one. And it will be on the twenty fifth of January, Joe. I don't know if you wanna say more.
Next Thursday at eleven at the same time. So I just dropped a link to the to the registration page and the chat, everyone. So if you haven't you have you haven't registered part two and three, Please do. We'd love to have you. I'll paint the the full picture of of what we're, out here to share.
Fantastic. And, and with that folks, thanks for your time.
See you next Thursday at eleventh.
Thank you so much, Matt. Thank you, everyone. Cheers to a more secure twenty twenty four.
My name is Joe Murphy with aqua, and today we're gonna have some fun talking about the run time security threat and landscape. Establishing the foundation and unique challenges of runtime security and cloud native.
Now, this is a three part series. If you haven't registered for part two and three, please do so. We'd love to have you throughout the whole series as it helps to paint the full picture.
And before we get started, quick agenda and some housekeeping.
We are going to set the stage with what is cloud native and why is it different?
Understanding the cloud native app life the dynamic cloud native threatened landscape, and we're gonna take a deep dive into a really interesting in malware called Kinsing, and we'll wrap up with key takeaways.
From the reminder, the session is being recorded. You're gonna see a survey at the conclusion of today's session with two questions.
So please fill those out, and we encourage you all to engage in the conversation.
So let's let's get the check going now. If you want to let us know where you're joining from today, and everyone in attendance, as a token of our appreciation, is gonna be the first to receive a copy of our twenty twenty four cloud native threat report from Aquanatos.
So without further ado, Joining me today. We have the man, the myth of the legend, Mr. Matt Richards, awkward CMO. Matt.
Thanks for joining us today. I'll let you take it away. Awesome. Thank you, Joe. Welcome to Houston, Northern Virginia, Maryland, and anybody else I might have missed.
Welcome to, our webinar today on really the first set of the foundation for runtime security. I'm, so my name's Matt.
I've been Aquasimo for a little over two and a half years, but also, I feel like I need to say that, I come from an engineering background of all things. So, I I am, gonna talk a little bit about Kinseng and and exactly where came from as we run through this. So let's set the foundation. Right? What are we here to talk about?
We're here to talk about what's happening to applications today. And at the highest level, home, whether you call a digital transformation, cloud transformation application modernization.
Whatever that is at the highest level or talking about moving from on prem to this hybrid, on prem and cloud or multi cloud or both.
And, whether you call up one of those initiatives, chances are you're running through exactly that in your, in your infrastructure, in your environment, in your applications. And you're moving those applications as part of that, that transition. And and we keep we use the word around to your cloud. Everyone knows what it means.
And the key to the cloud native word to me is containers. Right?
If you are building applications to deploy in containers, then you are building cloud native applications. But, of course, there's a lot more to it than just that but that is one of the largest indicators.
You could be talking about Lambda, right, functions, on Amazon or, Fargate, right, which is containers as a service. If I another word, you can be looking, you're probably assembling third party code and open source code. Your, in your software supply chain leading into containers.
But containers are a really big indicator.
And so are many of the of the, technologies on this And but when we say cloud native, this is what we mean.
And the whole reason companies are undergoing this transformation is because cloud native is fast It's it's more agile. It lets you deploy your applications, much faster in microservices, componentized infrastructure, microservices, that allow you to combine, almost applications and almost like molecules. Right? Each component is a different is developed in a in a different pipeline potentially, is deployed in a different schedule and is managed independently of all the others, but they come together as an application might have traditionally called it in this in this molecule.
And it's faster. Why is it good? Cause you can replace a component, not the whole thing. Monolithic, not so much the case anymore.
It's now more about native, cloud native, applications that are these combinations of microservices. And the challenges is it's super complex.
So when we look at these transformations that companies are on, undergoing, our customers, they usually are on prem, whether it's a Kubernetes Open Shift, TENSU plus cloud.
So they might be using AWS and Azure.
And then there's a a range of services. So maybe they're using AWS fargate, but they're actually using Microsoft to host virtual machines to as nodes in their, in their Azure Kubernetes deployment.
Or, right, they're they're on prem just getting started. And it's usually on prem plus one or two or maybe more of these cloud.
And the complexity of this is a mess. You know, one could think of each of these boxes as as a type of deployments, right, in a particular location. And then each of these littler boxes is one of those microservices that get not knitted together. And It's incredibly complex, and this transformation that all these businesses are ongoing in this migration needs to be kept secure.
And this complexity makes it worse because the attack surface is now different. Instead of one monolithic attack surface, you have a bunch of little attack surfaces that are constantly evolving. Microservices come up, they go down. Containers come up, they go down. And as as the attack surface evolves, right, so must the security underneath it to keep, the business to your risk manageable.
So this trans this cloud native is complex. Right? It's faster. We know that. We can get more deployed faster, more agile business press a more agile support of the business. It's complex.
And it's also completely different. I alluded to some of this already.
But the cycle time on a traditional application, you know, but just not that long ago, we were building applications of like twelve weeks. We thought that was fast. And here are you the plan code build test. That's the CICD pipeline.
Normally, it represented as a as a infinity loop. In this case, we just stretched it out straight to make it easier to understand what we're talking about. And the cycle time on a on a new release used to be maybe twelve weeks. You had some open source code.
Right? Some quite a bit, actually, even just ten years ago, somewhere around seventy five percent.
But a lot of times you are running that application through a single pipeline.
And it was more monolithic in in nature. And you had a few VMs. Right? Okay. You might have a load balancer and then, I don't know, five application servers out front, and then a data layer and a storage layer and a couple of redundant virtual machines there, and that was your application.
It was all kind of self contained. And you had a like, three months before maybe the next version was released. Three dot one would come out. And then in three months later, you might see version three dot two. And it was pretty static.
And pretty well prepared. You could you needed to plug firewalls in and and load balancers and set up your DMS and all that stuff. Right? That that was that was how we did it. These days in cloud native are very different. A cycle time, you know, Amazon's releasing, a a new bit of code into their cloud every fifteen minutes.
Ninety six percent of the code that's being released today is open source.
And what's more troublesome, but also amazing at the same time is this everything is code. So you're writing your infrastructure as code. For example, the developers might be writing out the infrastructure they need. It used to be that would go to an architect, which would then go to a firewall team and a networking team that would configure it for you. Now it's written as code, and interpreted by Kubernetes at runtime and virtually set up.
And now because it's microservices instead of one monolithic pipeline, you you might have twelve different pipelines all combining, and to maybe a hundred and fifty containers.
Which of course leads to a ton of alerts and alert fatigue.
That time to live might be twelve hours. A typical container only lives twelve hours.
And so they're called ephemeral for this reason, transient, perhaps.
They might go up and down. Right? So you might have it for twelve hours and then it goes away, and then it lives for another twelve hours later this week. But Instead of living for three months, it's in twelve hour increments. And that attack surface as a result is highly dynamic.
Because the service that was up for twelve hours is no longer there. If you manage to compromise it, your compromise is no good. In fact, it's very common for banks and others to rebuild their entire cloud native or application every morning from scratch. Just in case someone got into The application was able to compromise something.
It is reset out of the gold master every morning. Yeah. Insane. Right? Can you imagine redeploying your applications every morning? But I I promise you, but we have customers who do this.
Because it's easier. And by the way, they also reset all of their keys. Just in case someone managed to compromise one of their keys.
Every time they reset that environment. And that's part of, part of part of what's the differences between typical application development that we would have come to expect over the years. And cloud native.
And it's so complicated. This is one of my favorite Gartner quotes lately is that ninety nine percent of the cloud security failures that we're gonna see as folks shift to the cloud in these transformations, ninety nine percent of the failures are gonna be the customer's fault because it is so complicated and dynamic.
And variable.
And this this starts to get it. Okay. So start to understand the complexity of the problem.
Okay.
What are people doing about it? Well, as you might imagine, bad actors have a habit of moving to where the defenses aren't. And so over the past few years, bad actors have been shifting their efforts to where the, where the treasure is, production, containers moving into production, and also where the defenses have maybe been a little bit more lax over the years. So they're evolving their attacks.
The attack volume growth in our own nautilus research team, which Joe talked about a little bit a moment ago, and I'll I'll actually allude to more about the Nautilus team in a minute. I'll talk about it. We saw an increase of forty eight percent year over year in attacks on cloud native infrastructure, specifically on cloud native applications.
Eight percent year over year is fifty percent growth, basically. And what's happening, because bad actors to go to where the security isn't so strong, is that The agentless approaches to cloud native security, which have, in many ways, been debunked, still necessary, but they're not really security. Right? The because the attackers are able to drop in memory attacks.
That number has increased fourteen percent year over year an in memory attacks because your your, Nate file, your agentless security tools cannot see those attacks. They're never written to disk.
So we're seeing a massive increase in those attacks specifically.
And then, of course, they don't come in and leave. They're gonna leave a backdoor fifty percent of the time. Some, that means later they can come back and get easier access. Because they may not x fill data. They may not take, a bad action today. They may just leave it for tomorrow.
And fifty four percent of the time, even if they do take a bad action today, they're coming back and then words.
It's no longer, obviously, if you can infect one machine would really like that machines help to infect everything else on the network, and that's exactly what the worms are trying to do. And I'll show you that. KinsengX is really interesting. To to see how the attack, the attack tree fans out. And then attackers can scan the entire internet within an hour. Let me tell you a quick story, a customer of ours, an hour.
Well, we, there was a, a developer, that deployed a, a virtual machine.
And that virtual machine was secured and and to standards, but the password left for access was relatively generic, and it was brute force within ten minutes.
And there was a, there was a Bitcoin miner installed on that machine in ten minutes. So it's not even an hour. You can think that's the max if they you can they can find you in ten minutes.
And that was not a honey pot. Right? That was an actual machine.
For developer use.
So it shouldn't have been that easy to find, but it was. So ten minutes. So bad actors are evolving. They're getting more sophisticated as well.
Here's a question for you. I'm gonna throw this out there. Sixty four percent, and this is a and I'm gonna ask you what you might think sixty four percent is what?
I I think sixty four percent of sees those losing their hair might be a little low, but I'm just just hinting.
But, if you guys will click through and answer that, just to get a sense for it, and then I'll tell you what it is.
Alright.
Alright. Let's share the result. So what I let's share the results. The sixty four percent of bad actors, so in a recent survey of security professionals who were seeing an an increase in attacks on their environment, sixty four percent of the CSO survey were attributing the increase in attacks to the use of generative AI.
And the interesting thing is generative AI isn't just a really good, phishing email. Right? It's also being used to generate code. So we are just seeing the tip of the iceberg on the attacks, that are stemming from from AI. And even now, that's a huge number considering how relatively new generative AI is just the way that's gonna get worse. So I love that number. Alright.
Attacks used to be simple. Alright. I alluded to this. Right? Okay. I'm gonna get access somehow.
I'm gonna deploy malicious container, and it's gonna run a crypto payload. And by the way, this is how some of our customers came to understand they needed us. They noticed their Amazon bill was somehow twice what it had been before. I'm sure you've heard the stories.
It's now running a crypto payload.
Why is it so expensive? Because someone is stealing your CPU hoop. Right? Fine. That was before.
It is increasingly complicated. Now, it's forces many methods to gain access.
And they're dropping binaries. They're not just dropping one crypto miner. Right? They're dropping a lot.
They're not just dropping either they're also in communicating with command and control servers and others inbound and outbound communication. They're they're scanning. Right? This is the worms or or looking to to look across a network and the really smart ones aren't even scanning.
They're going to the local trusted host file on the server that was compromised and not scanning because scanning can be seen as, a tool to isolate a bad actor on the network. Right? So that might trigger a, that might trigger a network alert. Right?
But if you're not scanning, but you're looking at the trusted host file on the server, now you can get the same data without making it clear that you're looking for other service to compromise.
Excellent trading sensitive data. Of course, double. Of course, we like to we can talk about, the, the, the, double, like, the double extortion now. Right?
It's not enough to, to pay to get something unencrypted data back. It's also we're gonna get to pay us to unencrypt the server, but then you also have to pay us, or we will release this online. Like, we're seeing attackers get way more complicated. And that's more ransomware, but it's, it's a, an adjacent field, but it's happening.
Targeting cloud accounts, of course, because if I can get into your cloud I can see all of that wonderful digital transformation application, components, at work, and naturally evading to tech root kits and other things that are being deployed to evade detection.
So it's getting complex. And just to give you a view, right? There's, sort of these four layers, we like to say. And we'll go into this more in the future. But, on this particular webinar, supply chain attacks, yes.
Probing for misconfigurations? Absolutely. Because that's a way in. Volor abilities, though, still, a big component of how how you might break your way. But once you're in, Hey, you're gonna download an exploit.
Send the addresses to the attacker to for other attacks. Probe for Docker demons that might be open or or other, other other APIs that are accessible. You know, connect to Kubernetes that launch images of your own. We'll talk about this when we see Kinseng. This is exactly what they're trying to do.
Ultimately, wanting to elevate privileges so they can get to the next level.
Getting access to the host, adding that backdoor of connecting the command and control servers, sealing secrets, stealing keys, earning coin minors. In fact, in Kinseng, one of the latest, evolutions is Kinseng is now starting to seal. Secrets.
And this is, this is, the, the looney tunables, can sing vulnerability and attack that we found, a little earlier this fall. And, of course, running the Bitcoin Myers is still still a big one. But this is how a typical attack unloads.
And the reason we know so much about how this works is, part of Aqua, we call it nautilus. My promise I talk about aqua nautilus. Aqua nautilus is our cloud native research team. This is what they do for a living. And what you're seeing on the left here is, is a, a representation of the attack traffic on our network of honey pots around the world. So it's over a month. It's three quarters of a million attacks.
And a hundred thousand IPs from fifty seven on fifty seven different ports across a hundred fifty three different because we'll deploy these honey pots. Right? We'll, we'll deploy misconfigured or vulnerable systems on purpose as that's a honeypot's job is to attract an attacker. And then, of course, as you know, they get scanned and found and attacked.
And that's done across twenty one regions. And our team does nothing but watch these honey pots and study and understand the real live cloud native attacks today.
And that's part of what makes them such a unique asset for us. And that's how we can say some of what we say, with authority because we we know from our exact research, how these systems are being compromised, because we watch it happen. And, of course, working with our customers.
So here's just some examples, eighty two twenty on the left. We have the team TNT in the middle team TNT also on the right. And and it's just an attack tree. This is this is what Achonautilus is helping us understand because if you understand this, then the mitigation in runtime to protect against this can be very clearly defined.
And so this is what Aquanalysis is helping too. Right? They're coming to understand these attacks and feed it in. And so some of the research and data, and I'll show you one very specifically in a minute on Kinseng.
So what are we seeing? What is this team seeing? I promise you talk about, you know, what is claudine and then what is happening in the attacks? Okay.
Well, aquanol is a study in the unknowns. Right? I like to think of this as an iceberg. And above the water, you have what you can see.
But the known threats, you know malicious IP addresses. You know malicious URLs. You can keep them out. You can keep access to those URLs out.
You know malware so you can pattern a match and scan.
You know root kiss, and you actually maybe know what that looks like. Okay. So maybe you can either keep them out or identify when a rootkit has compromised the system.
You know what a cryptid wallet looks like, but what you don't know are a lot of the unknown threats And what's TeamT doing next? What's the next application that Ken Singh is targeting? And what's that? Or what's group ADD twenty doing or even headcrab?
We can go into those in a little bit more detail. So you know exactly what I'm talking about. So Kinsing, targeting eighty six applications right now. Kinseng is a particularly nasty piece of metal where I've been around for years, and I'll go into a, an attack tree of a typical Kinseng attack in a minute.
Actually two of them. But it's been targeting applications over the years, and it is mostly trying to deploy Bitcoin miners. And more recently, it started to, it's a Bitcoin miner and it's a worm. Trying to work across an area.
And it's also more recently trying to grab secrets. And this is an evolution of Kinseng. And this is what happens, right? The the threats of the various, actors we evolve while Kim Singh is a well known, a well known, three actor, if you all well known, form of malware.
Team TNT. This is a team of folks. What's interesting too is that Kinseng and team TNT are related. Team TNT put out a put out a ton of malware over the years, and then they put out a social post not too long ago, two years ago, two and a half years ago.
And they said, okay, we're done. And while the party's good. Right? We're done. And they disappear for two years.
But what we're seeing is that attacks that fit their profile are coming back.
And generally what they're doing is they're dropping dozens of files in a single attack, just trying to, overwhelm and compromise the system. And what's really interesting is some of the Kinseng code is actually used by Team T and T, which is pretty common. So it's almost like open source for attackers. They're sharing or they're finding and and, borrowing code because that code works so well. Well, TMT is starting to leverage some of the Ken sync code and has over the years. Headcrab. This was a piece of, of malware that we found.
This was something we found our our none of this research team found it. It was attacking Redis servers.
And it was a state sponsored attacker. And, wasn't just like a one and done thing. Yes. We found it. Yes. We worked with Rhetta. We did a whole press release on this whole blog about it.
What was interesting about it, though, right? If, you know, it's a reference to an older game where the headcrab lands on your head and turns you into a zombie. Well, that's kind of what was happening to the redis servers. So that's the name headcrab.
And What was really interesting about it though was that in the comments, when we reverse engineered the code, there were comments in there, almost like a little blog from the developer. And in there, after the first round, they started to drop, he or she, started to drop messages to aqua security, quite literally, mentioning us by name about what and why he was doing this, how it was a state sponsored act. So it wasn't illegal, and he was basically trying to make money. And and so it was an interesting conversation.
Of an entirely new, form of malware we hadn't seen before.
And then the last one here is this group eighty two twenty. These are the guys that that attack how many pots very quickly.
Another, ransomware or, excuse me, another, cyber, team, if you will, that is that is very active and very quick. With their honey pots. But I promised a little bit more on Kinsing. So what is it? Right? It's Mallar.
At the first scene, maybe half a decade ago, And it's been adapting and evolving over the years. That's why there's so many applications that, are compromised, with Kinseng. And it's adapting to new vulnerabilities in application. So earlier this year, and we'll talk about it in a little bit.
A couple of examples of exactly where that happened and how they're getting in. Docker was pretty popular early on And, others apps have been added over time. Most most, most recently was, the open part, which we'll talk about in a minute. And then cyber security experts.
Like, the thing about the TTPs for for Kinsing is that they they keep evolving.
And like I said, and we'll talk about it in a minute. The latest one is a little bit more interesting. So what is what happens? Alright.
Kinseng. What happens? Well, in this case, this is, one of the earlier Kinseng taxes is something that Nautilus puts together for us. And the team Nautilus, aqua Nautilus, was able to track and trace the attack.
Okay. Let's run through it. Right? Pincing attacker comes in through, an open API port in the Docker.
Okay. And then they're gonna run their own container. Uh-huh. So they're grabbing a container and they're running it.
Maybe a new one, actually. In this case, they're not downloading it first. This is a new container, which itself then downloads shell script. What does Shall script here.
It's downloading it from that address that starts with one forty two. That shell script does what? Well, it's it's a d dot s h and it downloads the Kinsing malware, and it adds itself to Kron tab. Now, you guys probably know Kron tab is is is the Chrome job scheduler.
So you can make sure that that shell script is run every hour for the rest of your life if that server is running. For example, that makes sure that it persists.
And then you're downloading the convincing malware from the IP address.
And it's also, once it grabs the malware, It's going to hash it and add it to claim AV, which means the anti virus, the typical claim AV, right, is the open source antivirus scanner. Sitting on most Linux systems will now no longer recognize it as a threat because it's been added as safe.
So it it it's persistent in running the shell script and the malware is now allowed to remain on the system. Then it's gonna download the lateral movement script. This is that whole worm action. Right? It's gonna down download a lateral movement script.
It's interesting though is that when it runs that lateral movement script, it it may or may not actually scan the local network.
More recently, it's been, been actually been reading the local host file, right, which the to where to the trusted hosts nearby. And instead of scanning, it then gets IP addresses and connection credentials from that. And so it's looking for credentials. It's also downloading a cryptominer. As we said, that's one of Ken Singh's primary efforts in the world is the is to cryptomine. And it's gonna add that to claim AV It's gonna add a hash of that to claim a feed and carry route on running as long as as long as as long as it can, Ken Sing will talk to the command and control servers.
And then the lateral movement script will try to move its way across the organization and try to find other credentials and keys.
And then run-in an SSHH connection to those other servers and try to move itself.
So, I mean, that's that's a pretty complex form of malware. That's what Kenzing it's an interesting attack. Now, more recently, this is an older can sing attack, but still, the more recently, it's a very simplified version. Of a simpler, a similar campaign flow against open fire. Now this this is in April, I think, vulnerability, CVE, obviously, twenty twenty three the year of twenty three. So last year, on Open Fire, and this is something we blogged about back in August. But the attacker finds a vulnerable Open Fire server, right, and and they're dropping a jar file this time on Open Fire.
And they're creating a new admin that's now in web shell. And now they can do everything we just saw. So this is a very quick version. It says dropping and running can sync up. Absolutely. But is it dropping around convincing and where is it getting it? And then is it adding it to claim AP?
And then it's also probably trying to, work its way across the network. So imagine exactly the same things, but now happening with Open Fire.
Really interesting evolution. And most recently, the Looney Tunables version of this the differences, not only is it trying to run malware, and grab a cryptominer is trying to grab secrets.
Kinseng is evolving and getting smarter and more sophisticated, and it's a real time attack in runtime on live systems.
And it is what we at aqua, are designed to protect you against. Kenising is just one example. So next question, Hasn't been very interactive so far? Next question. Seventy five percent. What does that mean? Seventy where do the attacks occur?
And I always like to say, so where are the where is the data stored? Where are the transaction house? Where do things happen? Well, they happen.
Insertient so here. There you go. Alright.
So what we're seeing is You're right. They happen in production. Seventy five percent of attacks on enterprises happen in production. Why? Because that's where the good stuff is. Of course, that's where it happens. So you have to make sure that with all of these threats, things like can sing out there.
With all of these threats, Kencing is just one that you're protected in real time and run time because ultimately That's where you're compromised and that's where the rest of your business is the largest. So with that, great, Matt. There's all these attacks. How do we defend against them? Well, let me say this. You can defend against them.
This is what we at aqua do for a living. But this isn't about that. I'll leave that to some of our upcoming. How do you defend against these attacks?
And we'll go from there. Okay? So to bring this home, we talked about, like, containers are a big indicator of cloud native. If you're working containers, you need a container security you need a cloud native application security solution.
The attacks focus where the defense is the weakest What you've seen, and that is including in memory attacks. That's why it's been up by fourteen nine percent year over year. Run time security is critical because it's the last line of defense before you lose.
So these are the key takeaways from us. I wanna plug the next one, runtime security series, securing cloud native environments. This is the second one. And it will be on the twenty fifth of January, Joe. I don't know if you wanna say more.
Next Thursday at eleven at the same time. So I just dropped a link to the to the registration page and the chat, everyone. So if you haven't you have you haven't registered part two and three, Please do. We'd love to have you. I'll paint the the full picture of of what we're, out here to share.
Fantastic. And, and with that folks, thanks for your time.
See you next Thursday at eleventh.
Thank you so much, Matt. Thank you, everyone. Cheers to a more secure twenty twenty four.
Watch Next
