Blog

Hidden Bugs in The Mines: Examining Vulnerabilities within Cryptocurrency Miners

Jared Stroud Cloud Security Researcher – Lacework Labs Key Points XMRigCC vulnerabilities enable rogue clients/compromised hosts/victims to attack upstream servers. Vulnerabilities include: Arbitrary file writing w/ specific extension of “_config.json“. Default configuration overwrite via client “worker-id” leading to potential client takeover. Persistent XSS via client “worker-id”. Remote Denial of Service via client “worker-id”. Summary Lacework […]

Read More…

Threat Hunting SSH Keys – Bash Script Feature Pivoting

Tom Hegel Cloud Security Researcher – Lacework Labs   Malicious actors often add SSH keys to victim hosts for persistence (T1098.004), in this blog we will show you how to hunt with that knowledge. The process of identifying malicious activity through threat intelligence pivoting is standard practice for any CTI analyst. For readers unfamiliar with […]

Read More…

Hacking Like its 1999 – Automating Analysis Like its 2021

Jared Stroud Cloud Security Researcher – Lacework Labs     The Takeaways Lacework Labs is releasing a Ghidra script to automate the extraction of IRC IPs/Domains, channel and channel credentials used by Katien IRC bots and its variants. Lacework Labs Ghidra Scripts Summary Lacework Labs has historically reported on the usage of IRC bots in […]

Read More…

Keksec & Tsunami-Ryuk

Chris Hall Cloud Security Researcher – Lacework Labs   Key Takeaways  Keksec is now leveraging a new Tsunami DDoS malware dubbed “Ryuk” (not the ransomware family) The group has updated their DGA algorithm used by the Necro python malware An inventory of Keksec’s malware distribution infrastructure is provided New persona details are included   Keksec, […]

Read More…

Access for Sale in the XSS.is Marketplace

Cloud Access: The Latest Offering for Initial Access Brokers

Greg Foss Cloud Security Researcher – Lacework Labs   Summary Initial Access Brokers (IAB) have become commonplace across cybercrime marketplaces in recent years. A practice that has evolved from the opportunistic compromise of one-off internet-facing assets for resale as mere proxies, to now including the targeting of corporate networks, assessing the environment for business value, […]

Read More…

Taking TeamTNT’s Docker Images Offline

Jared Stroud Cloud Security Researcher – Lacework Labs   The Takeaways TeamTNT targets exposed Docker API to deploy malicious images. Docker images containing TeamTNT malware are being hosted in public Docker repos via account takeovers.  TeamTNT leverages exposed Docker hub secrets within GitHub to stage malicious Docker images. The following MITRE ATT&CK techniques were observed: […]

Read More…

8220 Gangs Recent use of Custom Miner and Botnet

Jared Stroud, Chris Hall, and Tom Hegel Cloud Security Researchers – Lacework Labs   Lacework Labs has recently encountered a cluster of malicious activity based around loader scripts, and delivery of a custom cryptocurrency miner and an IRC bot. Specifically, we’ve identified a new loader script, a custom “PwnRig” miner, and unique Tsunami IRC botnet […]

Read More…

Beware Canary Tokens

Canary Tokens & Ransomware Operations

Jared Stroud & Chris Hall Cloud Security Researcher, Lacework Labs Key Takeaways  canarytokens.org is potentially being abused by ransomware operator(s) to exfiltrate the keys/passwords used for file encryption on the victim host. Summary The Lacework Labs research team continues to monitor evolving threats in the Linux, Cloud and Container ecosystem. Recently, a new technique was […]

Read More…

Cpuminer & Friends

  Chris Hall Cloud Security Researcher, Lacework Labs   Key Take-aways: Actors are now leveraging two variants of the same open-source multi-algorithm cryptomining utility – cpuminer. Two general tactics have been observed to date including Jupyter command execution (T1059) and WordPress exploitation (T1584). This blog includes a short tutorial on obfuscated PHP analysis performed as […]

Read More…

Sysrv-Hello Expands Infrastructure

Chris Hall and Jared Stroud Cloud Security Researchers, Lacework Labs Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads. The malware is equal parts XMRig cryptominer and aggressive botnet-propagator. The propagator leverages MySQL and Tomcat brute forcing (T1110) along with […]

Read More…

Resolving Embedded Files at Runtime via strace

Jared Stroud Cloud Security Researcher, Lacework Labs Modern Linux malware binaries are being shipped with one or more embedded files. Often, the first stage binary is simply a dropper for the real payload. Prior to the “real payload” being dropped, it’s common to see checks for the host’s CPU architecture, Linux distribution or a series […]

Read More…

Carbine Loader Cryptojacking Campaign

Tom HegelCloud Security Researcher, Lacework Labs Lacework Labs recently came across an interesting shell script that’s part of an opportunistic Cryptojacking (T1496) campaign. This campaign operated through the remote code execution of public facing Nagios XI applications. We have dubbed the loader script “Carbine Loader” during our clustering process. As background context, Nagios Core is […]

Read More…

The “Kek Security” Network

  Key takeaways: Keksec has updated their tactics to include use of DGA and Tor C2, and proxies. Based on voluminous polymorphic specimens there is likely widespread infection attributable to the group. Keksec is actively exploiting Citrix NetScaler RCE – CVE-2019-19781 and Vmware vCenter Server – CVE-2021-21973 Tools and indicators are available here.   Introduction […]

Read More…

Groundhog Botnet Rapidly Infecting Cloud

Chris HallCloud Security Researcher, Lacework Labs As early as 2015, the “Groundhog” DDOS botnet began proliferating via SSH brute force attacks. The botnet is believed to have a China nexus and has been active since its inception. In early December 2020, Lacework started monitoring recent activity along with botnet traffic from a sinkhole operation. Our […]

Read More…

TeamTNT Builds Botnet from Chinese Cloud Servers

TeamTNT Builds Botnet from Chinese Cloud Servers

TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they […]

Read More…

SolarWinds & the Software Supply Chain

Chris HallCloud Security Researcher, Lacework Labs The software supply chain is often overlooked when it comes to security. Perhaps the latest SolarWinds incident will give it the attention it deserves. By trojanizing a software update delivered from SolarWinds, unknown actors were successful at achieving malware installation at numerous organizations and across multiple verticals. Supply chain […]

Read More…

Muhstik

Meet Muhstik – IoT Botnet Infecting Cloud Servers

Chris HallCloud Security Researcher, Lacework Labs Cloud infrastructure is generally immune to IoT related threats however there are some exceptions – one of these is “Muhstik”. The Muhstik botnet has been around for a couple years now and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via XMRig, […]

Read More…

Moobot’s Cloud Migration

Chris HallCloud Security Researcher, Lacework Labs There is an abundance of Mirai-based botnets in the wild however “Moobot” ,which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes the Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository. As early as […]

Read More…

The Redis Rush

The Redis Rush

Chris HallCloud Security Researcher, Lacework Labs Redis has been heavily targeted for years and recent activity shows it is more popular than ever with attackers. There are several reasons for this: zero security for the base image, easily discoverable, and easily exploited. This makes Redis the ultimate low-hanging-fruit when targeting cloud infrastructure. This blog provides […]

Read More…

Doki Dukes Kinsing Blog

Doki Dukes with Kinsing

Chris HallCloud Security Researcher, Lacework Labs Cloud infrastructure is premium real estate for cryptojackers and they are constantly looking for new ways to exploit your workloads. Among them is “Doki,” which was recently reported by Intezer and is distinguished by exploitation of the Docker API and for going undetected until only recently. While Doki was […]

Read More…

Bash Wars

Bash Wars

Chris HallCloud Security Researcher, Lacework Labs Whether you’re an engineer or a system administrator, you’ve probably found bash to be a go-to resource for automating your Linux tasks. Bash is so useful that it has become popular among malware authors as well. This is because it can easily perform many tasks that are necessary for […]

Read More…

Kubernetes Attack Matrix

Kubernetes Recon: A Closer Look at Discovery from the Kubernetes Attack Matrix

Chris HallCloud Security Researcher, Lacework Labs On April 2nd, Microsoft released their Attack matrix for Kubernetes, a collection of Kubernetes attack patterns modeled after Mitre’s ATT&CK framework. While the matrix was compiled for Azure, many of the patterns are valid for all cloud providers. There are nine tactics in the ATT&CK framework, however this blog […]

Read More…

Greynoise

Who’s Attacking My Containers?

Chris HallCloud Security Researcher, Lacework Labs If you’re concerned about the security of your cloud resources then you may have asked yourself: “Who’s attacking my containers?” This blog will attempt to answer that question. As described in the kill chain model, the first phase of any attack is reconnaissance. This entails some form of information […]

Read More…

H2Miner Botnet

H2Miner Botnet – Act 2

Chris HallCloud Security Researcher, Lacework Labs Containers are gaining popularity as malware deployment mechanisms in the cloud. Beginning on Valentine’s Day, one malicious container started making its rounds and has steadily expanded to over 350 infections. The malware and infrastructure have been attributed to the “H2Miner” cryptomining botnet which was last reported in January propagating […]

Read More…

Research Automation with ATT&CK & Python

Research Automation with ATT&CK & Python

Chris HallCloud Security Researcher, Lacework Labs MITRE did the community a huge favor with the development of ATT&CK – an open source knowledge base for attack techniques. Threat intelligence can often be a nebulous undertaking but thanks to ATT&CK, the lives of analysts have been made a little bit easier. This blog describes how to […]

Read More…

Automating Enforcement and Response in 2020

Automating Enforcement and Response in 2020

James CondonDirector of Research, Lacework Labs In 2019, organizations adopted containers, embraced DevSecOps, and shifted security focus to earlier in the software development lifecycle. “Secure by Default” became the new goalpost. We now see the various places we need to insert security into our CI/CD pipelines. But with so many new areas for security to […]

Read More…

Cloud Wars & K8s Attacks: Speaking Engagements this November

Cloud Wars & K8s Attacks: Speaking Engagements this November

James CondonDirector of Research, Lacework Labs The year is drawing to a close, but we still have a few conferences left! A lot happened this year in Cloud Security. We saw many breaches from misconfigurations to overly permissive policies. We also saw a large focus on securing Cloud Native Technologies for those operating in the […]

Read More…

BSides Denver + DerbyCon 2019

DerbyCon 9.0 & BSides Denver ‘19

James CondonDirector of Research, Lacework Labs September was a great month for security conferences! We had the pleasure of presenting at DerbyCon 9.0 and BSides Denver ‘19. Here is a quick recap of the presentations. DerbyCon 9.0 Finish Line This year’s DerbyCon was aptly named “Finish Line” as it is, unfortunately, the last year of […]

Read More…

Talks and Tools from Black Hat 2019

Cloud & Container Security: Three Great Talks and Tools from Black Hat 2019

James CondonDirector of Research, Lacework Labs Last week thousands of security professionals descended upon Las Vegas for Hacker Summer Camp (despite warnings of swarming locusts!). Lacework Labs was there to take in all the sights and sounds. It was exciting to see such an emphasis on cloud and container security. There was much discussion on […]

Read More…

Lacework Labs Upcoming Speaking Events

Lacework Labs Upcoming Speaking Events

James CondonDirector of Research, Lacework Labs The first half of the year was a busy one for Lacework Labs. We had the pleasure of speaking at a number of amazing conferences and meetups to include ACoD, BSidesSF, RSA, and more. If you didn’t get the chance to see us speak on various cloud security topics, […]

Read More…

Cryptojacking Malware

Cryptojacking Malware Gets Creative with Variable Names

James CondonDirector of Research, Lacework Labs This malware sample may unlock your variable naming writer’s block. Have you ever tried using your favorite foods? We hadn’t either until we came across this one. This Bash script was seen following the Confluence exploits we recently blogged about. The unique variable naming isn’t the only thing that […]

Read More…

4 Ways Lacework Detects Confluence Attacks

4 Ways Lacework Detects Confluence Attacks

James CondonDirector of Research, Lacework Labs Last week we blogged about attacks exploiting a Confluence vulnerability (CVE-2019-3396). You may be wondering how Lacework detects these attacks? In this blog, we answer that question! If you recall, CVE-2019-3396 is an unauthenticated remote code execution (RCE) vulnerability. It’s exploited with a specially crafted HTTP POST request to […]

Read More…

An Unauthenticated RCE Gold Rush: A Look at Attacks Exploiting Confluence CVE-2019-3396

An Unauthenticated RCE Gold Rush: A Look at Attacks Exploiting Confluence CVE-2019-3396

James CondonDirector of Research, Lacework Labs The recent Confluence vulnerability (CVE-2019-3396) created a gold rush for threat actors. Attackers are exploiting it for cryptojacking, DDoS attacks, and ransomware. We observed some of these attacks in the wild and via our honeypots. In this blog we will share interesting details from the attacks. CVE-2019-3396 On March […]

Read More…

Top Threats to Cloud Security

Top 10 Threats to Cloud Security: AWS Security Week New York

James CondonDirector of Research, Lacework Labs Last week I had the pleasure of attending my first AWS Security Week. This was held at the AWS New York City loft from April 15th – April 18th. The AWS Lofts are a cool place for people to come to hang out, meet, code, etc. – all free […]

Read More…

Cryptojacking Campaign Targets Exposed Kubernetes Clusters

Cryptojacking Campaign Targets Exposed Kubernetes Clusters

James CondonDirector of Research, Lacework Labs Reports on in-the-wild attacks on Kubernetes clusters are somewhat sparse. This coupled with multiple attack vectors prompted us to deploy Kubernetes honeypots with very loose security controls to catch real-world attacks. Our hypothesis was that an attack would happen quickly through the insecure API and that the attacker would […]

Read More…

Triaging a CryptoSink Infection in 5 Minutes with Lacework

Triaging a CryptoSink Infection in 5 Minutes with Lacework

James CondonDirector of Research, Lacework Labs In medical terms, triage is the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. For security practitioners, triage is assigning priorities and order to security events. When triaging an alert, a security analyst needs […]

Read More…

Container Security: A Popular Topic at BSidesSF ‘19

Container Security: A Popular Topic at BSidesSF ‘19

James CondonDirector of Research, Lacework Labs Before the masses assembled for RSAC, BSidesSF 2019 took place at the Metreon AMC 16 in San Francisco, CA. As it turns out, a movie theater is an amazing venue for a conference like BSides. Talks were held in the City View movie theaters and even the IMAX theater, […]

Read More…

Talking Kubernetes at Denver ISSA

James CondonDirector of Research, Lacework Labs Last month we had the pleasure of speaking about securing Kubernetes at ACoD 2019. This month I had the opportunity to speak on the same topic at the Denver Information Systems Security Association (ISSA) chapter meetings. Denver ISSA is a not-for-profit organization with a mission of “Developing and Connecting Denver’s […]

Read More…

Art Into Science: Conference Overview & Securing K8s

James CondonDirector of Research, Lacework Labs Photo via Art into Science 2019 Last week we had the pleasure of attending and presenting at Art into Science: A Conference for Defense (ACoD) 2019. It was a blast listening to a variety of amazing talks, and speaking on Kubernetes security. In this post, we share background on […]

Read More…

Your etcd is Showing: Thousands of Clusters Open to the Internet

Your etcd is Showing: Thousands of Clusters Open to the Internet

James CondonDirector of Research, Lacework Labs Photo by Matt Artz on Unsplash Usage of the distributed key-value store etcd is at an all-time high. The fastest-growing open source project Kubernetes uses etcd to store data critical to the operation of its clusters. Like many open-source, easy to use data stores, the simplicity of setup is a […]

Read More…

ELF of the Month_ Latest Lucky Ransomware Sample

ELF of the Month: New Lucky Ransomware Sample

James CondonDirector of Research, Lacework Labs Photo by Kiki Wang on Unsplash News broke in late November 2018 about a ransomware variant dubbed Lucky Ransomware that targets both Linux and Windows platforms. A recent sample of the ransomware module was uploaded to VirusTotal in mid-December 2018 with some different characteristics than previously reported samples. In this […]

Read More…

Kubernetes CVE-2018-1002105

Kubernetes CVE-2018-1002105

James CondonDirector of Research, Lacework Labs On December 3rd a critical Kubernetes vulnerability was announced under CVE-2018-1002105. This vulnerability scored a 9.8 out 10 on the Common Vulnerability Scoring System (CVSS). The vulnerability stems from an issue with Kubernetes API Server (kube-apiserver) handling proxy requests when upgrading to WebSockets. The vulnerability ultimately can allow authenticated […]

Read More…

ELF of the Month_ Linux DDoS Malware Sample

ELF of the Month: Linux DDoS Malware Sample

James CondonDirector of Research, Lacework Labs Each month we take a look at a malicious Executable and Linkable Format (ELF) file, the common executable file format for Unix and Unix-like Operating Systems, and share details about the sample. In this edition of ELF of the Month, we take a look at a Linux DDoS sample […]

Read More…

Securing Innovation in the Public Cloud

Securing Innovation in the Public Cloud

James CondonDirector of Research, Lacework Labs Photo by Clayton Holmes on Unsplash I recently attended the Colorado CSA Fall Summit and wanted to share some insights and themes from the conference. The CSA summit included presentations on all things cloud security. On the technical side, there were talks on DevSecOps, cloud pen testing, AWS encryption, […]

Read More…

Redis Compromise: Lacework Detection

Dan HubbardChief Product Officer, Lacework Recently we published a blog on the internals of a Redis compromise with an infection on one of our external-facing honeypots and this is a follow up which demonstrates how the Lacework service would help identify the attack at a variety of stages in the attacker life-cycle. As I outlined […]

Read More…