Virtualization escape vulnerabilities from runc and docker - “Leaky vessels”

Rory McNamara - researcher in Snyk Security labs had reported four critical vulnerabilities, that in container infrastructure can allow isolation escape and therefore an attacker can access the underlying machine hardware, data, credentials, etc. It is a very critical vulnerability and patches must be applied ASAP.

At the time of the discovery Snyk had not detected evidence of active exploitation of the vulnerabilities in the wild, though.

What to do: update Docker demons and kubernetes deployments, also bring up to date all the CI/CD pipelines or build servers (like Jenkins) and patch all workstations.

glibc Vulnerability Allows for Root Access in Several Major Linux Distributions

Security bug, tracked as CVE-2023-6246 from August 2022 (yikes!) is a buffer overflow that allows local privilege escalation and can lead to unrestricted root access. Cybersecurity firm Qualys confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 were all vulnerable to that exploit. As usual in these cases keeping a distro up to date is of utmost importance!

Shim Vulnerability Exposes Almost All Linux Distros to Secure Boot Bypass Attack

Microsoft Security Response Center has discovered and tracked CVE-2023-40547. It impacts major distributions like Debian, Red Hat, SUSE and Ubuntu and has CVSS score of 9.8.

The mechanism of work is that the shim boot support can trust malicious values when parsing HTTP responses that can lead to out-of-bounds primitives.?

The danger in this vulnerability is that potential attackers on the same network can load malicious shim bootloaders or local bad actor can manipulate the data on the EFI partition.

A MITM (Man-In-The-Middle) attack can be carried out during HTTP boot and the traffic can be altered. Worst of all, the bad actor can gain access to the system before the kernel loads, which can lead to much higher privilege.

Phishing Campaign Uses SendGrid’s Own Infrastructure to Hunt for Credentials

SendGrid - a transactional and marketing email company has been used to launch very massive phishing attacks including many social engineering techniques such as stating account suspension, declined payments and other tricks to induce urgency and inhibit rational thinking.

The phishing mails were sent via the SentGrid’s own infrastructure and were obfuscating the destination link in the URL parameter.

Tail sign is that the “From:” address is not the SentGrid domain name, even though the attackers are using their infrastructure.

After clicking the tracking link in the email it redirects to JSPen. That is codepen-like editor that stores pages in the URL, which makes the attack more difficult to analyze, since it executes only in the victim’s browser. Decoding the fragment showed that it leads to a java script (yes, again), hosted on the Azure Front Door (CDN). After deobfuscation and decryption of the file it shows that it is credential stealing front page very slightly different from SendGrid’s.

Currently all the malware components are taken offline. Good practice is to use a well respected password manager, that verifies that the page we need to insert our credentials is really the page we added when we created the password entry.

Authentication Principles in Kubernetes - Best Practices from Datadog

Datadog has published a very detailed and systematic summary of how entities (people and service) can authenticate to the Kubernetes API. In brief summary they go over the internal authentication methods - static tokens, bootstrap tokens and the classic X.509 client certificates, that are more common in self-hosted unmanaged Kubernetes clusters (even though the client certs are supported in the three main Kubernetes flavors - AKS, GKE and EKS) and also the external authentication methods - OIDC, webhook authentication, auth-proxy and impersonating proxy.

Check the reference for deeper understanding!

Native Security Crossroads - Do Companies Choose Best practices or Speed and Ease of Use

Sysdig compiles a report annually of its customers and publishes how they are adopting the cloud native environment and what is the state of the security in it.

Results briefly show that as legacy from the on-prem times that very wide permissions are issued to applications or users and very small numbers (2%) of the actual controls are used. This practice is linked to the majority of the well-known security incidents in the cloud. Secondly the shifting to the left is not entirely complete in most cases. Even though the presence of critical and high vulnerabilities in the running containers is down by almost half, the goal of catching vulnerabilities in the pre-delivery pipeline before runtime is not advancing as expected. Thirdly, the maturity of scanning and thread detection is increasing, as only a third of the compromises are found via indicators of compromise and two-thirds as behavior-based detections. Another unnerving discovery is that the nature of the containers, being ephemeral, is not guaranteed to protect environments from compromise. Indeed most containers are short lived, especially when they are deployed and redeployed via a pipeline, but Sysdig’s Threat Research Team showed that 10 minutes are enough for cloud attack. Lastly the adoption of AI, especially generative AI is lower than expected - only 15% of all AI frameworks installed. Please check out the full review in the references.

SSH Key Stealing Worm on the Loose

Sysdig Threat Research Team again discovered and analyzed a basically fileless worm that scans infected machines for SSH credentials and spreads itself through the network. It sends extracted keys to a C2 server and is actively used for offensive operations! Sysdig have developed Falco rules for detection of the worm and future mitigations.