The simplicity and flexibility of microservice architecture has led to an increasing adoption of containers and kubernetes in the cloud. According to Gartner, more than 75% of global organizations will be running containerized apps in production by 2022.
As the adoption increases, threat actors are evolving their toolsets to compromise container workloads. Recently, it is reported that 50,000 IPs across multiple Kubernetes clusters were compromised by TeamTNT.
Threat actors typically exploit vulnerabilities and/or misconfigurations of the container workloads. They can not only move between containers, but also move between containers and the underlying hosts. Recently, we observed that threat actors such as TeamTNT has developed more sophisticated techniques to perform container escapes.
In the TeamTNT operation we observed, once it gains foothold on a privileged container, it uses a container escape technique similar to the initial POC tweeted by Felix Wilhelm from Google. It abuses the cgroups release_agent feature as shown below:
By using the above script, an attacker is able to break out of the container and execute the cmd script as root if the container is ran as a privileged container. The nginx binary is actually a cryptocurrency miner. The attacker may used the name nginx to trick the victim into thinking that it’s legitimate web server and evade detections.
Container lateral movements can be classified into three categories:
Container escape can be further classified into three categories:
Detecting these activities is critical for detection and response. For example, in the case of container escape, an attacker who escapes the container will likely have access to host resources and other containers on the host.
While traditional point-based detections show users a sea of independent alerts, Confluera XDR presents real-time threat progressions (a.k.a. incident timeline or attack narrative) to users and significantly improves efficacy. This allows DevSecOps/SOC analysts to quickly identify risk and prioritize risks mitigations by reviewing the logical threat progression instead of investigating the sea of independent alerts.
Confluera XDR tracks all the above mentioned container lateral movements and container escape categories.
In this post, we will demonstrate an example of Confluera XDR’s threat progression for containers.
Let’s look at an example breach involving container escape with cgroups release_agent. This belongs to the “Escape via configuration abuse” category we mentioned above. We will visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.
Our victim environment has a host machines (joe-el8) running a privileged container (the container ID ends with 7a1f40).
The attacker performed the following actions:
Confluera detects and captures the sequence of activities into a single threat progression as shown in the screenshot below. Keep in mind that there can be any number of alerts triggered on this host and/or this container by other activities. However, this threat progression will not show those alerts and therefore significantly improves efficacy.
Malicious actors are becoming more sophisticated and constantly inventing new ways to attack the cloud infrastructure.
Confluera XDR tracks all three container lateral movements categories. It also tracks the three container escape categories. This blog post demonstrates an example of Confluera XDR’s precise execution tracking on attacker’s pre-and post-exploitation behaviors in a container environment.
Moreover, Confluera XDR detects threat progressions across endpoint, network and cloud. It also prevents successful cyber attacks by coordinating with endpoint, network, and cloud controls.
Contact us if you would like to know more.