September was a great month for security conferences! We had the pleasure of presenting at DerbyCon 9.0 and BSides Denver ‘19. Here is a quick recap of the presentations.
DerbyCon 9.0 Finish Line
This year’s DerbyCon was aptly named “Finish Line” as it is, unfortunately, the last year of the conference. The conference took place in Louisville, Kentucky and is considered the largest security conference in the South (we are still holding onto the hope that DerbyCon will be back next year!).
Our presentation at DerbyCon was a continuation of research on in-the-wild attacks targeting Kubernetes. In the past we discovered many internet-accessible Kubernetes components. Specifically over 500 Dashboards, 21,000 API Servers (secure port), 2,400 etcd cluster (possibly belonging to a K8s cluster), and 500 API Servers (insecure port).
Earlier in the year, we deployed a K8s honeypot to catch an attack specifically targeting Kubernetes. We detailed the experience in our blog Cryptojacking Campaign Targets Exposed Kubernetes Clusters. The tl;dr is after 31 days a cryptojacking campaign targeted the insecure API to deploy a ReplicationController. The ReplicationController specified five replicas that ran XMRig to illicitly mine Monero. We expanded the research to look for evidence of compromise in the previously misconfigured result set. To our surprise, we noted that close to 50% of pods running with an exposed insecure API server were used for cryptocurrency mining.
You can watch the presentation here: https://youtu.be/BwxyU2DLKiE
Slides can be found here: DerbyCon 2019 Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
BSides Denver ‘19
This year’s BSides Denver was a much smaller venue than years past. This allowed for more conversations with presenters on their topics. This was a great way to foster more communication among individuals in the Denver security community.
We had the pleasure of leading a discussion around tactics used by cryptojackers in their attempt to eradicate competing attackers for compromised resources. We outlined four case studies that highlighted different techniques us and others have observed. The most common tactics include:
- Scanning process tables to kill running processes based on keywords.
- Scanning process tables to kill running processes based on CPU usage.
- Scanning file directories for possible malware names.
- Killing process based on connections to IPs associated with cryptojacking C2s and private mining pools.
- Routing IPs associated with cryptojacking C2s and private mining pools back to localhost.
- Sinkholing domains associated with common mining pools using the /etc/hosts file.
All in all the attackers use similar tactics as Blue Teams looking to thwart these attacks. The attackers also give up valuable intelligence on other attackers’ tools and infrastructure.
You can check out the slides here: BSides Denver 2019 – Cloud Wars Episode V: The Cryptojacker Strikes Back
Feel free to reach out with any questions or if you would like to collaborate on this research!