Blog

Groundhog Botnet Rapidly Infecting Cloud

As early as 2015, the “Groundhog” DDOS botnet began proliferating via SSH brute force attacks. The botnet is believed to have a China nexus and has been active since its inception. In early December 2020, Lacework started monitoring recent activity along with botnet traffic from a sinkhole operation. Our analysis revealed the botnet is rapidly […]

Read More…

SolarWinds & the Software Supply Chain

The software supply chain is often overlooked when it comes to security. Perhaps the latest SolarWinds incident will give it the attention it deserves. By trojanizing a software update delivered from SolarWinds, unknown actors were successful at achieving malware installation at numerous organizations and across multiple verticals. Supply chain has long been an attractive target […]

Read More…

Muhstik

Meet Muhstik – IoT Botnet Infecting Cloud Servers

Cloud infrastructure is generally immune to IoT related threats however there are some exceptions – one of these is “Muhstik”. The Muhstik botnet has been around for a couple years now and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via XMRig, cgmining and with DDoS attack services. […]

Read More…

Moobot’s Cloud Migration

There is an abundance of Mirai-based botnets in the wild however “Moobot” ,which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes the Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository. As early as September 20th, one of these variants […]

Read More…

The Redis Rush

The Redis Rush

Redis has been heavily targeted for years and recent activity shows it is more popular than ever with attackers. There are several reasons for this: zero security for the base image, easily discoverable, and easily exploited. This makes Redis the ultimate low-hanging-fruit when targeting cloud infrastructure. This blog provides trending on Redis targeting in the […]

Read More…

Doki Dukes Kinsing Blog

Doki Dukes with Kinsing

Cloud infrastructure is premium real estate for cryptojackers and they are constantly looking for new ways to exploit your workloads. Among them is “Doki,” which was recently reported by Intezer and is distinguished by exploitation of the Docker API and for going undetected until only recently. While Doki was just reported, malware specimens uploaded to […]

Read More…

Bash Wars

Bash Wars

Whether you’re an engineer or a system administrator, you’ve probably found bash to be a go-to resource for automating your Linux tasks. Bash is so useful that it has become popular among malware authors as well. This is because it can easily perform many tasks that are necessary for malware installation and system persistence.  Cryptomining […]

Read More…

Kubernetes Attack Matrix

Kubernetes Recon: A Closer Look at Discovery from the Kubernetes Attack Matrix

On April 2nd, Microsoft released their Attack matrix for Kubernetes, a collection of Kubernetes attack patterns modeled after Mitre’s ATT&CK framework. While the matrix was compiled for Azure, many of the patterns are valid for all cloud providers. There are nine tactics in the ATT&CK framework, however this blog expands on the Discovery portion and […]

Read More…

Greynoise

Who’s Attacking My Containers?

If you’re concerned about the security of your cloud resources then you may have asked yourself: “Who’s attacking my containers?” This blog will attempt to answer that question. As described in the kill chain model, the first phase of any attack is reconnaissance. This entails some form of information gathering about the target and usually […]

Read More…

H2Miner Botnet

H2Miner Botnet – Act 2

Containers are gaining popularity as malware deployment mechanisms in the cloud. Beginning on Valentine’s Day, one malicious container started making its rounds and has steadily expanded to over 350 infections. The malware and infrastructure have been attributed to the “H2Miner” cryptomining botnet which was last reported in January propagating via a Redis RCE: New Outbreak […]

Read More…

Research Automation with ATT&CK & Python

Research Automation with ATT&CK & Python

MITRE did the community a huge favor with the development of ATT&CK – an open source knowledge base for attack techniques. Threat intelligence can often be a nebulous undertaking but thanks to ATT&CK, the lives of analysts have been made a little bit easier. This blog describes how to quickly research threats using Python and […]

Read More…