Rootkit Turns Kubernetes from Orchestration to Subversion

As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - have led to the deployment of cryptomining-focused containers, basically stealing cloud compute resources from businesses to power cryptocurrency mining. The attacks could be much worse - infecting Kubernetes clusters with rootkits would result in collections of containers controlled by attackers, says Nicholas Lang, a security researcher with cloud-infrastructure security firm Sysdig, who will present a prototype rootkit at Black Hat Europe next month. The successful compromise of a Kubernetes cluster by a rootkit could allow an attacker to hide malicious containers on the system, for example. The rootkit can hide other containerized payloads and take more sophisticated actions escaping notice in the system, because they are hidden from the operating system, he says. "Even though it interacts with the kernel to get these containers up and in place, after that ... the rootkit is able to hide these containerized payloads," Lang says. "The rootkit is part of the initial payload ... and then, you know, future stages will do more sophisticated things in secret because they're hidden from the operating system by the rootkit." Kubernetes is a popular way of automating the configuration, deployment, and management - that is, "Orchestration" - of containers, virtualized software environments that can run a wide variety of workloads, from servers to applications to software-defined networks. The technology is critical for cloud applications in today's fast-moving world of software development and deployment. Vulnerabilities and misconfigurations are top concerns for Kubernetes. For the same reason attackers have targeted the infrastructure. In February, an attacker compromised a misconfigured Kubernetes cluster, first installing cryptojacking containers and then stealing intellectual property and sensitive data. A month earlier, Microsoft researchers discovered that the Kinsing malware had started targeting poorly configured database containers on Kubernetes platforms. Kubernetes Under Attack The spate of attacks have software firms worried. Two-thirds of companies have delayed or slowed down an application deployment due to a security concern with Kubernetes, according to Red Hat's "2023 State of Kubernetes Security Report." While attackers have exploited vulnerabilities in Kubernetes infrastructure, misconfigured applications running in containers are, by far, the most common way that the orchestration platform is compromised, says Sysdig's Lang. "A misconfigured Web server or Web application gives the attacker shell access to that virtual machine or inside that container," he says. "Depending on the attacker's sophistication level, they'll either realize that they're inside of a container or a virtual machine, or whatever, and try to escape to the host, or they realize that they're in a Kubernetes environment by doing a little bit of poking and prodding." While a specific Linux kernel rootkit, known as Diamorphine, has occasionally been used to compromise Kubernetes clusters, Kubernetes-focused rootkits have not yet become popular. Lang argues that will change, and as a view into the future, he and another security researcher, Andrew Hughes of Narf Industries, plan to demonstrate their own Kubernetes rootkit at the Black Hat Europe Conference in December. "The real change is the attackers learning that Kubernetes is increasingly common in the cloud, and how to deal with it and how to get around it, and how to make use of it even," he says. Kubernetes Admins Need Visibility Typically, a victim would have to see a rootkit getting loaded or a vulnerability being exploited by the attacker to catch an attack on a Kubernetes cluster, Lang says. Admins can also look out for kernel modules that get loaded during runtime, which really should not happen in a production setting, he says. "These systems don't really do a whole lot of crazy stuff, so if you see inside a container or on host that runs containers, you can be pretty confident something bad is going on," he says. "Otherwise, catching it is very, very difficult, because a lot of it happens in user space or in an application layer where you don't have a lot of deep insight." Admins should also ask their red team to conduct a group exercise, working against defenders to attack, and then with defenders to analyze the attack - a process referred to as purple teaming. Sysdig runs its own honeypot, exposing Kubernetes ports to potential attacks, and typically, the first probes come quickly, Lang says. "Within minutes, sometimes seconds, it's already getting attacked," he says. "So purple teaming is how you will find and close your gaps, and then not putting Kubernetes on the Internet in the first place is a great way to not get attacked."

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:02 +0000


Cyber News related to Rootkit Turns Kubernetes from Orchestration to Subversion

Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
10 months ago Darkreading.com
Auditing Kubernetes with Open Source SIEM and XDR - Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit ...
1 year ago Thehackernews.com
Protecting against new Kubernetes threats in 2024 and beyond - A wave of new attacks targeted Kubernetes in 2023: Dero and Monero crypto miners, Scarleteel and RBAC-Buster. Finding an initial foothold with a web app vulnerability, then moving laterally is the hallmark of a Kubernetes attack. Understanding the ...
9 months ago Venturebeat.com
XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments - PRESS RELEASE. HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ - XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes ...
10 months ago Darkreading.com
Strata Identity Reins in Global Access and Compliance Challenges With Cross-Border Orchestration Recipes - PRESS RELEASE. BOULDER, Colo., Feb 15, 2024 - Strata Identity, the Identity Orchestration company, today announced Global Access Orchestration Recipes that manage the complex identity relationships and processes associated with meeting data ...
7 months ago Darkreading.com
Kubernetes Vulnerability Let Attackers Take Full System Control - A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes. This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node. The ...
6 months ago Gbhackers.com
Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
10 months ago Darkreading.com
Kubernetes DaemonSet: Monitoring in Kubernetes - That's why it makes sense to collect logs from every node and send them to some sort of central location outside the Kubernetes cluster for persistence and later analysis. A DaemonSet in Kubernetes is a specific kind of workload controller that ...
10 months ago Feeds.dzone.com
Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes - While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. If an attacker has the ability to execute in the ...
9 months ago Unit42.paloaltonetworks.com
Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes - A security bug in the widely used Kubernetes container-management system allows attackers to remotely execute code with System privileges on Windows endpoints, potentially leading to full takeover of all Windows nodes within a Kubernetes cluster. ...
6 months ago Darkreading.com
5 open-source tools for pentesting Kubernetes you should check out - Kubernetes, often called K8s, is an open-source platform designed to automate the deployment, scaling, and operations of containerized applications. Kubernetes has become a critical part of the infrastructure for many organizations. With its ...
10 months ago Helpnetsecurity.com
The Kubernetes Cost Features You Need in 2024 - In the rapidly evolving Kubernetes ecosystem, managing costs effectively is as critical as ensuring operational efficiency. To make the most of your shift to cloud native technologies in 2024, you need a roadmap to Kubernetes cost optimization, ...
9 months ago Securityboulevard.com
Kubernetes Security: Sensitive Secrets Exposed - Cybersecurity researchers are warning of Kubernetes security issues amid the exposure of configuration secrets. Researchers believe that such attacks could be orchestrated using Kubernetes secrets exposed in public repositories as they allow access ...
10 months ago Securityboulevard.com
Vulnerability prioritization in Kubernetes: unpacking the complexity - One particularly significant aspect to consider is vulnerability prioritization. We'll explore practical prioritization strategies tailored to Kubernetes and discuss the significance of effective vulnerability patching. A vulnerability in a pod that ...
9 months ago Securityboulevard.com
Multiple Flaws in Google Kubernetes Engine - Google Kubernetes Engine has been detected with two flaws that a threat actor can utilize to create significant damage in case the threat actor already has access inside the Kubernetes cluster. The first issue was associated with FluentBit with ...
9 months ago Gbhackers.com
Helm: Simplifying Kubernetes Deployments - As a Kubernetes package manager, Helm greatly streamlines and simplifies deployment processes. In this article, we will delve deeply into Helm and explore how it facilitates the easier management of Kubernetes deployments. Templates: Helm uses ...
8 months ago Feeds.dzone.com
Guarding Kubernetes From the Threat Landscape - DZone - If compromised, attackers can exploit these broad permissions to manipulate deployments, introduce malicious code, gain unauthorized access to critical systems, steal sensitive data, or create backdoors for ongoing access. Part of the security ...
1 week ago Feeds.dzone.com
Hackers Exploiting Docker Swarm, Kubernetes & SSH Servers In Large Scale - The primary goal was “cryptojacking,” using the XMRig miner to mine “Monero cryptocurrency.” The attackers showed advanced tactics by manipulating “Docker Swarm,” to create a botnet-like network of compromised ...
1 week ago Cybersecuritynews.com
CVE-2021-41254 - kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service ...
2 years ago
A Handbook for Managing Containers on Amazon Web Services - Container management is a way to help you create, govern, and maintain your containers. There are tools and services available that can automate the creation, deployment, maintenance, scaling, and monitoring of application or system containers. In ...
1 year ago Trendmicro.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
9 months ago Microsoft.com
Taking the complexity out of identity solutions for hybrid environments: Identity Fabric and orchestration - For the past two decades, businesses have been making significant investments to consolidate their identity and access management platforms and directories to manage user identities in one place. Instead, businesses must learn how to consistently and ...
10 months ago Securityintelligence.com
Do More with Security Orchestration, Automation, and Response - Today, security operations center teams face dual challenges of acquiring both the right caliber and quantity of staff. With this gap, it's important for SOC teams to consider security, orchestration, automation and response solutions to automate ...
8 months ago Securityboulevard.com
CVE-2020-7922 - X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the ...
3 weeks ago
CVE-2021-20218 - A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest ...
3 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)