Kubernetes | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH. Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab . On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.]liv

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster. "An attacker with command execution in a pod running within an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the transport layer security (TLS) bootstrap tokens, and perform a TLS bootstrap attack to read all secrets within the cluster," Google-owned Mandiant said . Clusters using "Azure CNI" for the "Network configuration" and "Azure" for the "Network Policy" have been found to be impacted by the privilege escalation bug. Microsoft has since addressed the issue following responsible disclosure. The attack technique devised by the threat intelligence firm hinges on accessing a little-known component called Azure WireS

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Cybersecurity researchers have warned of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. Cloud security firm Wiz, which shed light on the activity, said it's an updated variant of a financially motivated operation that was first documented by CrowdStrike in March 2023. "In this incident, the threat actor abused anonymous access to an Internet-facing cluster to launch malicious container images hosted at Docker Hub, some of which have more than 10,000 pulls," Wiz researchers Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski said . "These docker images contain a UPX-packed DERO miner named 'pause.'" Initial access is accomplished by targeting externally accessible Kubernetes API servers with anonymous authentication enabled to deliver the miner payloads. Unlike the 2023 version that deployed a Kubernetes DaemonSet named "proxy-api," the latest flavor makes use of seemingly b

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which  said  the flaws have been weaponized since the start of April 2024. OpenMetadata is an  open-source platform  that operates as a metadata management tool, offering a unified solution for data asset discovery, observability, and governance. The flaws in question – all discovered and credited to security researcher Alvaro Muñoz – are listed below - CVE-2024-28847  (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4) CVE-2024-28848  (CVSS score: 8.8) - A SpEL injection vulnerability in GET /api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4) CVE-2024-28253  (CVSS score: 8.8) - A SpEL injection vulnerability in PUT /api/v

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances. "The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled  said . "To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster." Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions - kubelet v1.28.4 kubelet v1.27.8 kubelet v1.26.11, and kubelet v1.25.16 "A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes," Kubernetes maintainers  said  in a

In the realm of cybersecurity, the stakes are sky-high, and at its core lies secrets management — the foundational pillar upon which your security infrastructure rests. We're all familiar with the routine: safeguarding those API keys, connection strings, and certificates is non-negotiable. However, let's dispense with the pleasantries; this isn't a simple 'set it and forget it' scenario. It's about guarding your secrets in an age where threats morph as swiftly as technology itself. Lets shed some light on common practices that could spell disaster as well as the tools and strategies to confidently navigate and overcome these challenges. In simple words this is a first step guide for mastering secrets management across diverse terrains.  Top 5 common secrets management mistakes Alright, let's dive into some common secrets management mistakes that can trip up even the savviest of teams: Hard coding secrets in code repositories:  A classic mistake, hard codin

Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed  Leaky Vessels  by cybersecurity vendor Snyk. "These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges," the company  said  in a report shared with The Hacker News. runC  is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later  spun out  into a separate open-source library in 2015. A brief description of each of the flaws is below - CVE-202

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. "An attacker who has compromised the  Fluent Bit  logging container could combine that access with high privileges required by  Anthos Service Mesh  (on clusters that have enabled it) to escalate privileges in the cluster," the company  said  as part of an advisory released on December 14, 2023. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) - 1.25.16-gke.1020000 1.26.10-gke.1235000 1.27.7-gke.1293000 1.28.4-gke.1083000 1.17.8-asm.8 1.18.

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. "These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag  said  in a new research published earlier this week. Some of those impacted include two top blockchain companies and various other fortune-500 companies, according to the cloud security firm, which leveraged the GitHub API to fetch all entries containing .dockerconfigjson and .dockercfg types that  store credentials  for accessing a container image registry. Of the 438 records that potentially held valid credentials for registries, 203 records – about 46% – contained valid credentials that provided access to the respective registries. Ninety-three of the passwords were manually set by individuals, as opposed to the 345 that were computer-generated. "In the majority of cases, these creden

In 2023, the cloud isn't just a technology—it's a battleground. Zenbleed, Kubernetes attacks, and sophisticated APTs are just the tip of the iceberg in the cloud security warzone. In collaboration with the esteemed experts from Lacework Labs, The Hacker News proudly presents an exclusive webinar: ' Navigating the Cloud Attack Landscape: 2023 Trends, Techniques, and Tactics .' Join us for an insightful session led by Jose Hernandez of Lacework Labs, where we dissect and analyze the year's most pressing cloud security issues. This webinar is not just about theory; it's a practical guide filled with actionable strategies to shield your organization from advanced threats in the cloud.  Highlights include: Kubernetes Security Breaches:  Explore the surge in Kubernetes-related vulnerabilities and the concerning increase in administrative plane abuses. Zenbleed in Focus:  Understand the far-reaching impact of the Zenbleed vulnerability and how Lacework Labs is

Three unpatched high-severity security flaws have been disclosed in the  NGINX Ingress controller  for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows -  CVE-2022-4886  (CVSS score: 8.8) -  Ingress-nginx  path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller CVE-2023-5043  (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution CVE-2023-5044  (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation "These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044. Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller proce

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts. "These packages [...] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm  said . "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine." Along with Kubernetes config and SSH ke

Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The  issues , tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were  released  on August 23, 2023, following responsible disclosure by Akamai on July 13, 2023. "The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled said in a technical write-up shared with The Hacker News. "To exploit this vulnerability, the attacker needs to apply a malicious YAML file on the cluster." Amazon Web Services  (AWS),  Google Cloud , and  Microsoft Azure  have all released advisories for the bugs, which affect the following versions of Kubelet - kubelet < v1.28

Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a  report  shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. In total, Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals were discovered, 60% of which were the target of an active crypto-mining campaign. The publicly-accessible clusters, per Aqua, are said to suffer from two different kinds of misconfigurations: allowing anonymous access with high privileges and running kubectl proxy with the flags "--address=`0.0.0.0` --accept-hosts `.*`" "Housing a wide array of sensitive and valuable assets, Kubernetes clusters can store customer data, financial records, intellectual property, a

As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called  Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag  said  in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company  detailed  an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell script

A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control ( RBAC ) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack  RBAC Buster , said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign. The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server, and then using RBAC to set up persistence. "The attacker created a new ClusterRole with near admin-level privileges," the company said. "Next, the attacker created a 'ServiceAccount', 'kube-controller' in the 'kube-system' namespace. Las

Recently, Andrew Martin, founder and CEO of ControlPlane, released a report entitled Cloud Native and Kubernetes Security Predictions 2023. These predictions underscore the rapidly evolving landscape of Kubernetes and cloud security, emphasizing the need for organizations to stay informed and adopt comprehensive security solutions to protect their digital assets. In response,  Uptycs , the first unified CNAPP and XDR platform, released a whitepaper, " 14 Kubernetes and Cloud Security Predictions for 2023 and How Uptycs Meets Them Head-On " addressing the most pressing challenges and trends in Kubernetes and cloud security for 2023. Uptycs explains how their unified CNAPP and XDR solution is designed to tackle these emerging challenges head-on.  Read on for key takeaways from the whitepaper and learn how Uptycs helps modern organizations successfully navigate the evolving landscape of Kubernetes and cloud security.  14 Kubernetes and Cloud Security Predictions for 2023 C