Blog

DIY Canary Tokens in AWS

Jared Stroud Cloud Security Researcher Key Takeaways Canarytokens in AWS can aid defenders in post-compromise situations. Eventbridge allows you to create trigger events. Eventbridge custom event patterns allow for alerts on virtually every AWS resource. Background & Previous Work Canarytokens are resources (directories/files/accounts/etc…) that exist to alert an administrator when they’ve been accessed. Sometimes referred […]

Read More…

“Spytech Necro” – Keksec’s Latest Python Malware

Key Takeaways Keksec (aka Freakout) continues to develop Necro – their polymorphic python-based IRC malware The newest version dubbed “Spytech Necro” includes significant updates to the C2 protocol and additional exploits including the recent Confluence exploit described in CVE-2021-26084 Keksec is distributing additional Tsunami malware via their “Samael” botnet infrastructure Analysis tools and indicators are […]

Read More…

Mirai goes Stealth – TLS & IoT Malware

Key Takeaways IoT malware is becoming more popular for use in cloud attacks Typical usage of TLS in IoT malware is rare, but has been observed in suspected state-sponsored campaigns Lacework Labs recently observed what is believed to be a targeted attack using a TLS enabled version of Mirai dubbed “scsihelper” IoT malware (typically used […]

Read More…

HCRootkit / Sutersu Linux Rootkit Analysis

Jared Stroud, Tom Hegel Cloud Security Researchers – Lacework Labs Key Points Lacework Labs identified new samples and infrastructure associated with HCRootkit / Sutersu Linux rootkit activity, building-off its recent initial identification from our colleagues at Avast.  Malicious droppers include and deliver additional files, a kernel module, and userland ELF. These files compromise a host […]

Read More…

PYSA Ransomware Gang adds Linux Support

Key Take Aways The first Linux version of ChaChi, a Golang based DNS tunneling backdoor, was recently observed on VirusTotal. The malware is configured to use domains associated with ransomware actors known as PYSA, aka Menipoza Ransomware Gang. PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and […]

Read More…

Muhstik Takes Aim at Confluence CVE 2021-26084

  Key Takeaways In line with USCYBERCOM’s warning, publicly available Confluence exploit scripts are being integrated into opportunistic attackers’ toolkits. Muhstik, a known threat actor targeting cloud and IoT, is one of these opportunistic attackers targeting vulnerable Confluence servers to spread their botnet. Lacework Labs observed bash droppers with zero detections on VirusTotal being used […]

Read More…

Threat Report Volume 2

Lacework 2021 Cloud Threat Report Vol. 2

Cybercriminals Demand for Cloud Access Grows In new research from the Lacework Labs Team, it’s clear organizations should start thinking of cybercriminals as business competitors. Thanks to more than three months of exhaustive monitoring and tracking malicious cloud activity, the team has uncovered evolving attack techniques and campaigns originating from across the globe, mostly characterized […]

Read More…

Hiding in Plaintext Sight: Abusing The Lack of Kubernetes Auditing Policies

Jared Stroud Cloud Security Researcher – Lacework Labs Key Points: Kubernetes Audit Policies are critical for cluster-level visibility. Kubernetes Annotations allow for arbitrary storage and can be abused for malicious activity. Kubernetes API endpoints create a novel C2 channel that may be difficult to audit or detect within organizations.   Introduction to Kubernetes Audit Log […]

Read More…

Threat Research Snowflake Virust Total

Threat Research with Snowflake & VirusTotal

  There is no shortage of threat intelligence. Between numerous vendors and open sources, the amount of data can be overwhelming. The challenge then becomes curating what you already have and tailoring to your needs whether that’s for research, net defense, or both. Lacework Labs uses a number of different sources and tooling for this […]

Read More…

Hidden Bugs Blog

Hidden Bugs in The Mines: Examining Vulnerabilities within Cryptocurrency Miners

Jared Stroud Cloud Security Researcher – Lacework Labs Key Points XMRigCC vulnerabilities enable rogue clients/compromised hosts/victims to attack upstream servers. Vulnerabilities include: Arbitrary file writing w/ specific extension of “_config.json“. Default configuration overwrite via client “worker-id” leading to potential client takeover. Persistent XSS via client “worker-id”. Remote Denial of Service via client “worker-id”. Summary Lacework […]

Read More…

Threat Hunting SSH Keys – Bash Script Feature Pivoting

Tom Hegel Cloud Security Researcher – Lacework Labs   Malicious actors often add SSH keys to victim hosts for persistence (T1098.004), in this blog we will show you how to hunt with that knowledge. The process of identifying malicious activity through threat intelligence pivoting is standard practice for any CTI analyst. For readers unfamiliar with […]

Read More…

Hacking Like its 1999 – Automating Analysis Like its 2021

Jared Stroud Cloud Security Researcher – Lacework Labs     The Takeaways Lacework Labs is releasing a Ghidra script to automate the extraction of IRC IPs/Domains, channel and channel credentials used by Katien IRC bots and its variants. Lacework Labs Ghidra Scripts Summary Lacework Labs has historically reported on the usage of IRC bots in […]

Read More…

Keksec & Tsunami-Ryuk

Chris Hall Cloud Security Researcher – Lacework Labs   Key Takeaways  Keksec is now leveraging a new Tsunami DDoS malware dubbed “Ryuk” (not the ransomware family) The group has updated their DGA algorithm used by the Necro python malware An inventory of Keksec’s malware distribution infrastructure is provided New persona details are included   Keksec, […]

Read More…

Access for Sale in the XSS.is Marketplace

Cloud Access: The Latest Offering for Initial Access Brokers

Greg Foss Cloud Security Researcher – Lacework Labs   Summary Initial Access Brokers (IAB) have become commonplace across cybercrime marketplaces in recent years. A practice that has evolved from the opportunistic compromise of one-off internet-facing assets for resale as mere proxies, to now including the targeting of corporate networks, assessing the environment for business value, […]

Read More…

Taking TeamTNT’s Docker Images Offline

Jared Stroud Cloud Security Researcher – Lacework Labs   The Takeaways TeamTNT targets exposed Docker API to deploy malicious images. Docker images containing TeamTNT malware are being hosted in public Docker repos via account takeovers.  TeamTNT leverages exposed Docker hub secrets within GitHub to stage malicious Docker images. The following MITRE ATT&CK techniques were observed: […]

Read More…

8220 Gangs Recent use of Custom Miner and Botnet

Jared Stroud, Chris Hall, and Tom Hegel Cloud Security Researchers – Lacework Labs   Lacework Labs has recently encountered a cluster of malicious activity based around loader scripts, and delivery of a custom cryptocurrency miner and an IRC bot. Specifically, we’ve identified a new loader script, a custom “PwnRig” miner, and unique Tsunami IRC botnet […]

Read More…

Beware Canary Tokens

Canary Tokens & Ransomware Operations

Jared Stroud & Chris Hall Cloud Security Researcher, Lacework Labs Key Takeaways  canarytokens.org is potentially being abused by ransomware operator(s) to exfiltrate the keys/passwords used for file encryption on the victim host. Summary The Lacework Labs research team continues to monitor evolving threats in the Linux, Cloud and Container ecosystem. Recently, a new technique was […]

Read More…

Cpuminer & Friends

  Chris Hall Cloud Security Researcher, Lacework Labs   Key Take-aways: Actors are now leveraging two variants of the same open-source multi-algorithm cryptomining utility – cpuminer. Two general tactics have been observed to date including Jupyter command execution (T1059) and WordPress exploitation (T1584). This blog includes a short tutorial on obfuscated PHP analysis performed as […]

Read More…

Sysrv-Hello Expands Infrastructure

Chris Hall and Jared Stroud Cloud Security Researchers, Lacework Labs Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads. The malware is equal parts XMRig cryptominer and aggressive botnet-propagator. The propagator leverages MySQL and Tomcat brute forcing (T1110) along with […]

Read More…

Resolving Embedded Files at Runtime via strace

Jared Stroud Cloud Security Researcher, Lacework Labs Modern Linux malware binaries are being shipped with one or more embedded files. Often, the first stage binary is simply a dropper for the real payload. Prior to the “real payload” being dropped, it’s common to see checks for the host’s CPU architecture, Linux distribution or a series […]

Read More…

Carbine Loader Cryptojacking Campaign

Tom HegelCloud Security Researcher, Lacework Labs Lacework Labs recently came across an interesting shell script that’s part of an opportunistic Cryptojacking (T1496) campaign. This campaign operated through the remote code execution of public facing Nagios XI applications. We have dubbed the loader script “Carbine Loader” during our clustering process. As background context, Nagios Core is […]

Read More…

The “Kek Security” Network

  Key takeaways: Keksec has updated their tactics to include use of DGA and Tor C2, and proxies. Based on voluminous polymorphic specimens there is likely widespread infection attributable to the group. Keksec is actively exploiting Citrix NetScaler RCE – CVE-2019-19781 and Vmware vCenter Server – CVE-2021-21973 Tools and indicators are available here.   Introduction […]

Read More…

Groundhog Botnet Rapidly Infecting Cloud

Chris HallCloud Security Researcher, Lacework Labs As early as 2015, the “Groundhog” DDOS botnet began proliferating via SSH brute force attacks. The botnet is believed to have a China nexus and has been active since its inception. In early December 2020, Lacework started monitoring recent activity along with botnet traffic from a sinkhole operation. Our […]

Read More…

TeamTNT Builds Botnet from Chinese Cloud Servers

TeamTNT Builds Botnet from Chinese Cloud Servers

TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they […]

Read More…

SolarWinds & the Software Supply Chain

Chris HallCloud Security Researcher, Lacework Labs The software supply chain is often overlooked when it comes to security. Perhaps the latest SolarWinds incident will give it the attention it deserves. By trojanizing a software update delivered from SolarWinds, unknown actors were successful at achieving malware installation at numerous organizations and across multiple verticals. Supply chain […]

Read More…

Muhstik

Meet Muhstik – IoT Botnet Infecting Cloud Servers

Chris HallCloud Security Researcher, Lacework Labs Cloud infrastructure is generally immune to IoT related threats however there are some exceptions – one of these is “Muhstik”. The Muhstik botnet has been around for a couple years now and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via XMRig, […]

Read More…

Moobot’s Cloud Migration

Chris HallCloud Security Researcher, Lacework Labs There is an abundance of Mirai-based botnets in the wild however “Moobot” ,which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes the Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository. As early as […]

Read More…

The Redis Rush

The Redis Rush

Chris HallCloud Security Researcher, Lacework Labs Redis has been heavily targeted for years and recent activity shows it is more popular than ever with attackers. There are several reasons for this: zero security for the base image, easily discoverable, and easily exploited. This makes Redis the ultimate low-hanging-fruit when targeting cloud infrastructure. This blog provides […]

Read More…

Doki Dukes Kinsing Blog

Doki Dukes with Kinsing

Chris HallCloud Security Researcher, Lacework Labs Cloud infrastructure is premium real estate for cryptojackers and they are constantly looking for new ways to exploit your workloads. Among them is “Doki,” which was recently reported by Intezer and is distinguished by exploitation of the Docker API and for going undetected until only recently. While Doki was […]

Read More…

Bash Wars

Bash Wars

Chris HallCloud Security Researcher, Lacework Labs Whether you’re an engineer or a system administrator, you’ve probably found bash to be a go-to resource for automating your Linux tasks. Bash is so useful that it has become popular among malware authors as well. This is because it can easily perform many tasks that are necessary for […]

Read More…

Kubernetes Attack Matrix

Kubernetes Recon: A Closer Look at Discovery from the Kubernetes Attack Matrix

Chris HallCloud Security Researcher, Lacework Labs On April 2nd, Microsoft released their Attack matrix for Kubernetes, a collection of Kubernetes attack patterns modeled after Mitre’s ATT&CK framework. While the matrix was compiled for Azure, many of the patterns are valid for all cloud providers. There are nine tactics in the ATT&CK framework, however this blog […]

Read More…

Greynoise

Who’s Attacking My Containers?

Chris HallCloud Security Researcher, Lacework Labs If you’re concerned about the security of your cloud resources then you may have asked yourself: “Who’s attacking my containers?” This blog will attempt to answer that question. As described in the kill chain model, the first phase of any attack is reconnaissance. This entails some form of information […]

Read More…

H2Miner Botnet

H2Miner Botnet – Act 2

Chris HallCloud Security Researcher, Lacework Labs Containers are gaining popularity as malware deployment mechanisms in the cloud. Beginning on Valentine’s Day, one malicious container started making its rounds and has steadily expanded to over 350 infections. The malware and infrastructure have been attributed to the “H2Miner” cryptomining botnet which was last reported in January propagating […]

Read More…

Research Automation with ATT&CK & Python

Research Automation with ATT&CK & Python

Chris HallCloud Security Researcher, Lacework Labs MITRE did the community a huge favor with the development of ATT&CK – an open source knowledge base for attack techniques. Threat intelligence can often be a nebulous undertaking but thanks to ATT&CK, the lives of analysts have been made a little bit easier. This blog describes how to […]

Read More…

Automating Enforcement and Response in 2020

Automating Enforcement and Response in 2020

James CondonDirector of Research, Lacework Labs In 2019, organizations adopted containers, embraced DevSecOps, and shifted security focus to earlier in the software development lifecycle. “Secure by Default” became the new goalpost. We now see the various places we need to insert security into our CI/CD pipelines. But with so many new areas for security to […]

Read More…

Cloud Wars & K8s Attacks: Speaking Engagements this November

Cloud Wars & K8s Attacks: Speaking Engagements this November

James CondonDirector of Research, Lacework Labs The year is drawing to a close, but we still have a few conferences left! A lot happened this year in Cloud Security. We saw many breaches from misconfigurations to overly permissive policies. We also saw a large focus on securing Cloud Native Technologies for those operating in the […]

Read More…

BSides Denver + DerbyCon 2019

DerbyCon 9.0 & BSides Denver ‘19

James CondonDirector of Research, Lacework Labs September was a great month for security conferences! We had the pleasure of presenting at DerbyCon 9.0 and BSides Denver ‘19. Here is a quick recap of the presentations. DerbyCon 9.0 Finish Line This year’s DerbyCon was aptly named “Finish Line” as it is, unfortunately, the last year of […]

Read More…

Talks and Tools from Black Hat 2019

Cloud & Container Security: Three Great Talks and Tools from Black Hat 2019

James CondonDirector of Research, Lacework Labs Last week thousands of security professionals descended upon Las Vegas for Hacker Summer Camp (despite warnings of swarming locusts!). Lacework Labs was there to take in all the sights and sounds. It was exciting to see such an emphasis on cloud and container security. There was much discussion on […]

Read More…

Lacework Labs Upcoming Speaking Events

Lacework Labs Upcoming Speaking Events

James CondonDirector of Research, Lacework Labs The first half of the year was a busy one for Lacework Labs. We had the pleasure of speaking at a number of amazing conferences and meetups to include ACoD, BSidesSF, RSA, and more. If you didn’t get the chance to see us speak on various cloud security topics, […]

Read More…

Cryptojacking Malware

Cryptojacking Malware Gets Creative with Variable Names

James CondonDirector of Research, Lacework Labs This malware sample may unlock your variable naming writer’s block. Have you ever tried using your favorite foods? We hadn’t either until we came across this one. This Bash script was seen following the Confluence exploits we recently blogged about. The unique variable naming isn’t the only thing that […]

Read More…

4 Ways Lacework Detects Confluence Attacks

4 Ways Lacework Detects Confluence Attacks

James CondonDirector of Research, Lacework Labs Last week we blogged about attacks exploiting a Confluence vulnerability (CVE-2019-3396). You may be wondering how Lacework detects these attacks? In this blog, we answer that question! If you recall, CVE-2019-3396 is an unauthenticated remote code execution (RCE) vulnerability. It’s exploited with a specially crafted HTTP POST request to […]

Read More…

An Unauthenticated RCE Gold Rush: A Look at Attacks Exploiting Confluence CVE-2019-3396

An Unauthenticated RCE Gold Rush: A Look at Attacks Exploiting Confluence CVE-2019-3396

James CondonDirector of Research, Lacework Labs The recent Confluence vulnerability (CVE-2019-3396) created a gold rush for threat actors. Attackers are exploiting it for cryptojacking, DDoS attacks, and ransomware. We observed some of these attacks in the wild and via our honeypots. In this blog we will share interesting details from the attacks. CVE-2019-3396 On March […]

Read More…

Top Threats to Cloud Security

Top 10 Threats to Cloud Security: AWS Security Week New York

James CondonDirector of Research, Lacework Labs Last week I had the pleasure of attending my first AWS Security Week. This was held at the AWS New York City loft from April 15th – April 18th. The AWS Lofts are a cool place for people to come to hang out, meet, code, etc. – all free […]

Read More…

Cryptojacking Campaign Targets Exposed Kubernetes Clusters

Cryptojacking Campaign Targets Exposed Kubernetes Clusters

James CondonDirector of Research, Lacework Labs Reports on in-the-wild attacks on Kubernetes clusters are somewhat sparse. This coupled with multiple attack vectors prompted us to deploy Kubernetes honeypots with very loose security controls to catch real-world attacks. Our hypothesis was that an attack would happen quickly through the insecure API and that the attacker would […]

Read More…

Triaging a CryptoSink Infection in 5 Minutes with Lacework

Triaging a CryptoSink Infection in 5 Minutes with Lacework

James CondonDirector of Research, Lacework Labs In medical terms, triage is the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. For security practitioners, triage is assigning priorities and order to security events. When triaging an alert, a security analyst needs […]

Read More…

Container Security: A Popular Topic at BSidesSF ‘19

Container Security: A Popular Topic at BSidesSF ‘19

James CondonDirector of Research, Lacework Labs Before the masses assembled for RSAC, BSidesSF 2019 took place at the Metreon AMC 16 in San Francisco, CA. As it turns out, a movie theater is an amazing venue for a conference like BSides. Talks were held in the City View movie theaters and even the IMAX theater, […]

Read More…

Talking Kubernetes at Denver ISSA

James CondonDirector of Research, Lacework Labs Last month we had the pleasure of speaking about securing Kubernetes at ACoD 2019. This month I had the opportunity to speak on the same topic at the Denver Information Systems Security Association (ISSA) chapter meetings. Denver ISSA is a not-for-profit organization with a mission of “Developing and Connecting Denver’s […]

Read More…

Art Into Science: Conference Overview & Securing K8s

James CondonDirector of Research, Lacework Labs Photo via Art into Science 2019 Last week we had the pleasure of attending and presenting at Art into Science: A Conference for Defense (ACoD) 2019. It was a blast listening to a variety of amazing talks, and speaking on Kubernetes security. In this post, we share background on […]

Read More…

Your etcd is Showing: Thousands of Clusters Open to the Internet

Your etcd is Showing: Thousands of Clusters Open to the Internet

James CondonDirector of Research, Lacework Labs Photo by Matt Artz on Unsplash Usage of the distributed key-value store etcd is at an all-time high. The fastest-growing open source project Kubernetes uses etcd to store data critical to the operation of its clusters. Like many open-source, easy to use data stores, the simplicity of setup is a […]

Read More…

ELF of the Month_ Latest Lucky Ransomware Sample

ELF of the Month: New Lucky Ransomware Sample

James CondonDirector of Research, Lacework Labs Photo by Kiki Wang on Unsplash News broke in late November 2018 about a ransomware variant dubbed Lucky Ransomware that targets both Linux and Windows platforms. A recent sample of the ransomware module was uploaded to VirusTotal in mid-December 2018 with some different characteristics than previously reported samples. In this […]

Read More…