Blog

Cryptojacking Campaign Targets Exposed Kubernetes Clusters

Reports on in-the-wild attacks on Kubernetes clusters are somewhat sparse. This coupled with multiple attack vectors prompted us to deploy Kubernetes honeypots with very loose security controls to catch real-world attacks. Our hypothesis was that an attack would happen quickly through the insecure API and that the attacker would abuse the cluster to deploy coinminers. […]

Read More…

Triaging a CryptoSink Infection in 5 Minutes with Lacework

Triaging a CryptoSink Infection in 5 Minutes with Lacework

In medical terms, triage is the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. For security practitioners, triage is assigning priorities and order to security events. When triaging an alert, a security analyst needs to quickly and accurately determine if […]

Read More…

Container Security: A Popular Topic at BSidesSF ‘19

Before the masses assembled for RSAC, BSidesSF 2019 took place at the Metreon AMC 16 in San Francisco, CA. As it turns out, a movie theater is an amazing venue for a conference like BSides. Talks were held in the City View movie theaters and even the IMAX theater, which happens to be the 3rd […]

Read More…

Talking Kubernetes at Denver ISSA

Last month we had the pleasure of speaking about securing Kubernetes at ACoD 2019. This month I had the opportunity to speak on the same topic at the Denver Information Systems Security Association (ISSA) chapter meetings. Denver ISSA is a not-for-profit organization with a mission of “Developing and Connecting Denver’s Cybersecurity Leaders.” They hold chapter meetings […]

Read More…

Art Into Science: Conference Overview & Securing K8s

Photo via Art into Science 2019 Last week we had the pleasure of attending and presenting at Art into Science: A Conference for Defense (ACoD) 2019. It was a blast listening to a variety of amazing talks, and speaking on Kubernetes security. In this post, we share background on the conference, discuss some of our […]

Read More…

Your etcd is Showing: Thousands of Clusters Open to the Internet

Photo by Matt Artz on Unsplash Usage of the distributed key-value store etcd is at an all time high. The fastest growing open source project Kubernetes uses etcd to store data critical to the operation of its clusters. Like many open source, easy to use data stores, the simplicity of setup is a double edged sword. […]

Read More…

ELF of the Month_ Latest Lucky Ransomware Sample

ELF of the Month: New Lucky Ransomware Sample

Photo by Kiki Wang on Unsplash News broke in late November 2018 about a ransomware variant dubbed Lucky Ransomware that targets both Linux and Windows platforms. A recent sample of the ransomware module was uploaded to VirusTotal in mid-December 2018 with some different characteristics than previously reported samples. In this month’s edition of ELF of the […]

Read More…

Kubernetes CVE-2018-1002105

On December 3rd a critical Kubernetes vulnerability was announced under CVE-2018-1002105. This vulnerability scored a 9.8 out 10 on the Common Vulnerability Scoring System (CVSS). The vulnerability stems from an issue with Kubernetes API Server (kube-apiserver) handling proxy requests when upgrading to WebSockets. The vulnerability ultimately can allow authenticated and unauthenticated users to make API […]

Read More…

ELF of the Month_ Linux DDoS Malware Sample

ELF of the Month: Linux DDoS Malware Sample

Each month we take a look at a malicious Executable and Linkable Format (ELF) file, the common executable file format for Unix and Unix-like Operating Systems, and share details about the sample. In this edition of ELF of the Month we take a look at a Linux DDoS sample recently uploaded to VirusTotal. This particular […]

Read More…

Securing Innovation in the Public Cloud

Securing Innovation in the Public Cloud

Photo by Clayton Holmes on Unsplash I recently attended the Colorado CSA Fall Summit and wanted to share some insights and themes from the conference. The CSA summit included presentations on all things cloud security. On the technical side there were talks on DevSecOps, cloud pen testing, AWS encryption, cryptocurrency, and container security. One of […]

Read More…

Redis Compromise: Lacework Detection

Recently we published a blog on the internals of a Redis compromise with an infection on one of our external-facing honeypots and this is a follow up which demonstrates how the Lacework service would help identify the attack at a variety of stages in the attacker life-cycle. As I outlined in a previous blog about the […]

Read More…