Are you ready to drive more awareness to your brand? Consider becoming a sponsor of the AI ​​Impact Tour. Learn more about opportunities here,

A wave of new attacks targeting Kubernetes in 2023: Dero and Monero crypto miners, Scarlatel, and RBAC-busters. Finding an initial base with a web app vulnerability, then moving in later is the hallmark of a Kubernetes attack. Understanding the reality of these attacks can help protect your organization from current and future attacks targeting Kubernetes.

Here’s a description of how attacks happen and what you can do to protect against them — or at least minimize the damage once one happens.

scarlettail attack plan

The Jupyter Notebook web application hosted in Kubernetes was the entry point for Scarletil, whose goal was to enable access to encrypted, sensitive data in cloud storage and crypto mining. To find open entries into the AWS cloud environment, the attackers used an open-source Kubernetes penetration testing tool called Pirates, as well as a similar tool called Paku.

Scarlatil demonstrated how easily an attacker can advance in a cloud environment. The attacker jumped from a web application hosted in Kubernetes directly to Kubernetes on the cloud and back again. Defenders don’t have a similarly connected view of their environment, instead looking at cloud security, web app security, and Kubernetes security separately, then struggling to piece together the attacker’s full trajectory and objectives. We do.

vb event

AI Impact Tour

Join the enterprise AI community at VentureBeat’s AI Impact Tour coming to a city near you!

learn more

What can you do to prevent scarlettail?

If you are not using Jupyter Notebooks, you may not be vulnerable to this attack. But there are many other web app vulnerabilities as well. You can ensure that you are protected from the specific cloud misconfigurations that attackers took advantage of. If you run EKS, look into where you have IMDSv1 vs IMDSv2 installed and get a blue team to run Pirates and Paco against your environment before an attacker.

Runtime capabilities will potentially detect Pandora malware, but will not connect it to the broader attack and activity occurring in cloud and Kubernetes environments, so it may not stop the entire attack.

Dero and Monero cryptocurrency miners

In the Dero attack, the bad actor first scanned for the Kubernetes API, where authentication is set to allow anonymous access to anyone. For this to work, the cluster also needs an RBAC configuration that allows the creation of pods in that cluster. When these conditions are met, the attacker deploys a daemonset, creating its own pods from malicious images in the cluster.

The first part of the Monero attack is similar to Dero. Then, with access to the Kubernetes API, the attackers took down the Dero pods and deployed their own privileged pods via Daemonset. The privileged pod attempted to mount the host directory to escape the container and downloaded a rootkit that could hide the miner. Later, the attacker installed a custom mining service on the host.

Unlike Dero, the Monero attack involves privilege escalation and container escape techniques. Allowing privileged containers is one of the most important Kubernetes security issues to avoid. Kubernetes disallows privileged pods in its baseline policy for pod security standards, making this less likely to happen by default.

However, if you are running EKS and Kubernetes v1.13 and above, the default pod security policy is Privileged. In EKS, you must delete this policy to enable your client policies – an additional step that potentially increases the chances that you will allow the creation of privileged pods.

In Monero, there is a lot of runtime activity that happens after hackers exploit initial Kubernetes misconfigurations. Locking it will prevent malicious runtime behavior from spreading to other pods and clusters. Preventing disallowed host mounted paths and privileged pod misconfigurations is the most important preventive measure. If you are doing KSPM on the polling interval, you are missing any attacker activity happening in between.

How to avoid dero/monero attacks

If exposed, your primary concern is to minimize the blast radius – because in Kubernetes the attack happens in real time, not at runtime. If your runtime capability includes a rule related to Monero crypto mining, you can block the final stages, but not the initial stages, of the protocol.

Although you probably won’t set up your API to allow anonymous access, there are other ways this same entry point can be exploited. A malicious insider could employ backdoors or cryptocurrency miners similar to these attacks. A developer may inadvertently check out a service account token or kubeconfig file in a public Git repository which may leave the cluster vulnerable.

The most important protective measure is to prevent the creation of malicious workloads from daemonsets. There is also the matter of observability tooling, as many crypto jacking operations are discovered through unexpected traffic spikes.

Since this attack used an image to create a malicious pod, setting up an admission control policy that prevents the creation of workloads coming from untrusted image sources will work. However, you will either have to enforce the policy broadly or employ a real-time KSPM detection solution to understand where exactly you are having problems, then use the ingress controller when correcting the configuration in code.

RBAC-Buster plan of attack

The attacker attempts to gain a foothold in the Kubernetes environment by scanning a misconfigured API server that will allow unauthenticated requests from privileged users. The attackers used privileged access to list secrets and search the kube-system namespace.

They created a new ClusterRole with admin privileges and a new service account in the namespace, tying the two together to give the service account admin privileges to the ClusterRole. The attacker looked for an AWS key to gain access to the cloud service provider. They then used Daemonset to deploy malicious pods for crypto mining in the cluster using a container image.

The initial phase of this attack assumes that your Kubernetes API server is not only open, but that it is also accepting requests from privileged users. The rest of the attacks operate with this privileged access.

What can you do to protect against RBAC-Buster?

To spread the latter, the attackers used Daemonset technology similar to the Dero campaign – a reminder to prevent the creation of malicious workloads from Daemonsets. Check your API server configuration and audit your RBAC permissions to protect against this attack.

Preventing future attacks

The team that discovered RBAC-Buster said that 60% of the exposed clusters found had an active campaign underway. This does not mean that 60% of all groups have been exposed. But attackers are looking for mistakes, misconfigurations, and ways into your Kubernetes environment.

Most clusters were only accessible for a few hours, highlighting the ephemeral nature of Kubernetes clusters and pointing out that what opens up exploits and vulnerabilities today may be closed to attackers tomorrow. This means that rescaling is a nightmare if you are working with polling intervals that may not show these changes over time.

Relying only on admission control or reverse-engineering detection on runtime events will either miss the mark or detect it too late when the next attack arrives. You need a real-time, combined view of Kubernetes risk. Avoidance in depth is a best practice. But, if defense in depth doesn’t provide a view of how all the different components work together, you’re still one step behind the attacker.

Jimmy Mesta is the CTO and co-founder of KSOC.

datadecisionmakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including technical people working on data, can share data-related insights and innovations.

If you want to read about cutting edge ideas and the latest information, best practices and the future of data and data technology, join us at DataDecisionMakers.

You may also consider contributing an article of your own!

Read more from DataDecisionmakers

Source: venturebeat.com