►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
good
morning,
good
evening,
welcome
to
the
webinar
defense
strategies
against
kubernetes
attack,
ttps.
A
A
A
So
today's
agenda
is
straightforward,
where
we
will
look
at
the
attack
surfaces
available
to
external
threat
actors
and
how
each
external
threat
actor,
which
is
active
right
now
in
the
wild,
is
targeting
them
and
what
are
the
mitigation
strategies?
We
can
use
right
now
to
stop
them.
A
So
current
trends
from
the
kubernetes
perspective
is
the
the
external
threat
actors
are
interested
in
mining
cryptocurrency
and
this
mining
activity
kind
of
picks
up
when
cryptocurrency
price
comes
down
and
and
to
to
mine
this
cryptocurrency.
A
These
attackers
kind
of
try
to
find
the
misconfigured
docker
apis
kubernetes
api
to
access
available
compute
on
the
internet,
and
for
that
this
can
entire
internet
to
see
if
they
they
can
find
anything
and
once
they
find
such
misconfigured
apis,
they
do
do
they
do
get
that
initial
photo.
They
do
privilege
escalation
and
move
laterally,
and
in
some
cases
we
found
they
they
do
exploit
unpatched
cves
so
that
they
they
get
that
initial
foothold
easily.
A
So
with
that,
this
is
the
threat
matrix
for
kubernetes
from
microsoft
and,
as
you
can
see,
there
are
almost
45
techniques
listed
here
and
each
technique
can
be
used
to
compromise.
Your
container
attacker
can
do
privilege.
Escalations
can
can
can
move
laterally
within
your
containers
and
do
the
data
exfiltration
ultimately
using
this
technique.
So
today
we'll
be
focusing
on
these
initial
access
techniques
from
kubernetes
perspective.
A
A
You
have
your
container
runtime
running
and
you
have
kubernetes
vertical,
which
is
kind
of
managing
all
these
containers
that
you
would
deploy
and
by
configuration,
kubernetes
api
cumulative
docker
api
can
be
exposed
to
internet
and
attacker
can
really
find
out
these
apis
and
try
to
get
that
initial
foothold.
A
If
you
haven't
properly
secured
it,
your
services
are
also
exposed
out
of
these
system,
so
kubernetes
can
really
expose
your
services,
and
also
there
are
services
like
ssh
mysql,
which
can
run
on
host
itself
and
last
but
not
least,
attacker
can
really
make
use
of
the
malicious
images
that
are
hosted
on
public
infrastructure
or
public
repositories
like
docker
hub,
where
you
can
end
up
pulling
one
of
the
compromised
or
or
image
uploaded
by
attacker,
and
you
your
container
can
get
compromised
because
of
that,
and,
ultimately
your
cluster.
A
So
this
this
is
the
attack.
Surface,
usually
is
targeted
by
threat
actors
currently
to
get
that
initial
foothold.
A
And
this
is
just
a
point
in
time.
Just
before
this
webinar,
I
tried
to
see
how
many
docker
apis
are
available
and
how
many
cubelet
instances,
which
is
a
kubernetes
process
running
on
node,
is
exposed
on
internet,
and
I
almost
filed
found
500
entries
for
each
and
palo
alto
did
a
study
a
few
months
back
where
they
almost
found.
50
000
containers
publicly
accessible,
and
we
do
agree
with
that
number.
As
each
kubernetes
cluster
can
run
multiple
containers,
even
the
docker
api
can
run.
A
So,
let's
begin
by
looking
at
our
first
external
thread,
vector
which
is
team,
tnt
and
team
tnt
came
up
with
its
new
malware,
which
is
hildegard,
and
this
particular
malware
is
discovered
by
palo
alto,
and
this
is
targeting
a
cubelet
api
to
be
specific
to
gain
that
initial
foothold
into
the
kubernetes,
and
this
api
has
to
be
unsecured
in
order
to
get
that
initial
photo
and
they
did
the
same
thing
for
docker
interfaces
in
the
past
and
they
once
they
get
such
apis.
A
They
usually
drop
bunch
of
shell
scripts
and
do
the
initial
installation
and
the
intent
and
focus
for
this
particular
attack
vector
is
a
monero
coin
mining
and
they
have
a
bunch
of
scripts
which
can
look
at
your
cloud
im,
aws
or
ssh
keys,
so
that
if
there
is
a
chance
to
expand
their
presence,
they
would
be
able
to
do
that
and
they
have
typical
cnc
capabilities,
interesting
evasion
and
ddos
capabilities.
A
A
So
with
that
the
the
interesting
functionality
abuse
is
ld,
preload
ld
preload
is
a
linux
ability
or
linux
functionality
where,
if,
if
you
are
running
any
process
inside
a
linux-
and
you
enable
this
ld
preload
functionality,
the
binary
defined
by
ld
preload
will
be
loaded
into
that
process.
Memory
and-
and
this
will
be
enabled
globally,
so
any
process
you
run,
it
will
be
adding
the
library
or
binary
kind
of
showed
by
this
ldp
preload
parameter.
A
An
attacker
is
exactly
doing
that.
He's
loading
his
he
as
soon
as
he
compromises,
or
they
compromise
this
particular
container.
They
set
this
ldp
road
parameter
and,
after
that,
any
process
that
anyone
runs.
A
It
will
load
their
malicious
library
into
it,
and
what
this
malicious
library
does
is
hooks
into
read
and
read.
The
64
system
calls
and
what
this
system
calls
do
is
if
you
gonna
do
ps
or
ls.
A
It's
gonna
give
you
a
list
of
processes
or
list
of
files
on
file
system
right,
so
attacker
will
be
able
to
always
hide
the
files
or
processes
it
wants.
So,
if
administrator
goes
into
a
container
and
does
what
are
the
processes
running
here,
he
won't
be
able
to
see
healthy
guard
processes,
running
or
crypto
mining
mining
processes
run
by
this
particular
malware
and.
A
And
as
we
looked
into
this
closely,
so
they
kind
of
have
all
the
symbols
already
available
inside
the
binary
they
didn't
strip
any.
So
we
were
able
to
look
at
the
code
pretty
easily,
and
here
in
the
red
box,
you
can
see
see
that
they
are
directly
making
a
call
to
a
particular
symbol
to
locate,
read
the
r64
and
and
they
are
able
to
override
the
dr-64
after
that.
Just
to
show
you
how
it
looks
like
so
at
initially
in
this.
A
This
is
a
particular
container
where
we
are
just
running
a
ps
command
and
you
can
see
there
is
a
netcat
process
which
is
running
here
and
after
that
we
just
used
ld,
preload
and
loaded
our
malicious
binary,
which
kind
of
hides
this
netcat
process.
And
after
that
we
did
this
ps
command
and,
as
you
can
see
in
the
output
below,
there
is
no
netcat
binary.
A
So
that's
how
this
particular
technique
works
and
also
team
tnt
used
already
available
part
b
red
teaming
two
and
what
this
tool
does
is
it
can
abuse
c
groups
if
you
have
a
privileged
container.
So
if
team
tnt
ends
up
breaking
into
a
privileged
container,
they
can
basically
abuse
c
group
and
run
the
commands
on
host.
A
Here
we
use
his
body
framework
and
just
did
the
hostname
command
and,
as
you
can
see
in
the
red,
this
is
the
name
of
the
host.
Rather
than
name
of
my
container
and
after
that,
we
in
in
next
red
box,
you
can
see
we
were
able
to
read
the
files
on
the
host
escaping
the
containers,
so
these
threat
actors
kind
of
here
what
we
saw
is
they
used
ready
to
use
third
party
tools
and
integrated
into
their
malware
scripts.
So
for
command
and
control.
A
They
used
teammate
and
irc
as
a
cd
startups
and
as
we
talked,
they
use
ld
preload
technique
using
lead
process,
hider
and
bot
b
and
p
periods
for
container
breakout
and
credential
harvesting
and
for
dns
monitoring
bypass.
They
simply
override
the
adc
host
file
and
they
have
a
lot
of
scripts
to
scan
the
internet
so
that
they
could
expand
their
presence
once
they
compromised
your
infrastructure
and
the
intent
seemed
to
be
the
same
as
we
discussed
earlier,
a
monero
coin
mining.
A
So
this
is
the
these:
are
the
basic
capabilities
of
this
particular
thread
actors?
So,
let's
move
on
to
next
one.
This
is
skincing,
so
kinzing
targeted
the
docker
api
and
we
didn't
see
that
kingston
upgraded
and
targeted
kubernetes
api,
but
it
used
another
interesting
technique
where
it
kind
of
uploaded
its
images
to
public
infrastructure
that
is
docker
repository
and
and
users.
I
think
at
some
point
there
were
millions
of
users
which
were
pulling
down
images
uploaded
by
them,
and
this
this
is
in.
A
The
project
which
is
already
available
on
the
getup
and
focus
seems
to
be
similar,
the
coin
mining
command
and
control
and
encryption
and
the
evasion.
A
So
when
we
looked
at
this
particular
malware's
root
kit
closely,
it
was
similar
to
tim
tnt's.
They
use
dynamically
linked
binary
to
target
as
many
flavors
of
linux
and
architectures,
and
this
is
comparatively
advanced.
As
you
can
see
on
the
right,
there
are
number
of
functions
this
particular
malware
embedded
inside
their
rootkit
and
all
these
functions
they
could
do.
A
They
could
hide
process,
name,
tcp,
ports,
directory
names
and
file
names,
so
they
were
not
limited
to
process
names,
as
we
seen
earlier,
and
the
techniques
were
same
that
we
discussed
and
deep
reload
to
hook.
This
particular
system
calls,
and
additionally,
these
guys
use
encryption
to
hide
their
hide
their
modules,
and
this
is
a
simple
xr
encryption.
A
So
this
is
one
of
the
image
which
was
uploaded
by
kensing
operators,
and
this
is
this
is
the
this
is.
This
picture
is
shown
offered
two
cord
die
which
can
read
the
container
images
and
each
layers
and
show
what
were
the
changes
in
each
layer
and,
as
you
can
see,
it
has
a
monero
coin
miner,
which
is
being
downloaded
here
in
this
particular
layer,
and
this
particular
image
had
over
million
hit
when
we
kind
of
got
this
particular
image.
So
almost
a
million
compromises
very,
very
dram.
A
And
our
another
threat,
vector
from
kubernetes
perspective,
is
doki
and
doki
is
a
back
door,
and
this
is
a
particularly
a
binary
which
was
previously
undetected
with
and
broke
partner.
A
The
the
reason
to
mention
this
because
it
uses
a
domain
generation
algorithm
to
contact,
though
this
is
not
a
new
technique,
but
they
used
a
really
novel
djsc
in
their
operation
and
they
use
the
dodge
coin.
Api
and
dodge
coin
is,
you
may
be
familiar
with
this?
This
is
a
popular
cryptocurrency
cryptocurrency,
which
is
available
on
the
internet.
A
And
if
you
are
not
familiar
with
domain
generation
algorithms,
so
this
is
really
simple
where
attackers
malware,
which
is
running
inside
your
compromise,
cluster
and
attacker,
which
is
sitting
somewhere
on
the
internet,
has
access
to
same
seat,
which
is
date
and
time
or
currency,
pair
or
temperature
of
particular
city,
or
even
a
trending
topics
on
twitter,
and
they
will
use
that
seed
and
feed
it
to
a
pseudo
random
stream
generator
and
get
a
random
string
and
append
a
a
particular
tld
to
it.
A
Like
dot
com,
depending
on
a
day
of
the
week
or
month
of
the
year
and
and
query
that
particular
domain
and
interesting
thing
is
malware,
which
is
running
inside
your
compromised
container.
An
attacker
would
be
able
to
generate
same
disk
and
what
attacker
needs
to
do
is
just
go
ahead
and
register
one
of
one
of
the
domains
from
there
and
malware
eventually
will
be
able
to
query
and
contact
to
that
particular
domain.
A
And
here
attackers
use
the
dodge
coin
wallet,
so
they
pre
built
a
wallet
address
inside
inside
this
doki
bag
door
and
what
they
used
as
a
seed
was
last
money
spent
by
attacker.
So
whatever
the
last
transaction
amount
was
that
was
used
as
a
seat
for
this
particular
algorithm
and,
as
you
can
see
on
the
right,
this
is
the
dodge
point
function
that
they
implemented
where
they
queried
and
called
the
the
last
money
sent
by
attacker.
A
So
with
that,
let's
move
towards
mitigation
and
how
we
can
mitigate
all
these
threat
actors
that
we
discussed
right
now.
A
So
first,
first
suggestion
is
use
scratch
images,
because
if
you
use
a
scratch
image,
it
will
contain
only
dependencies
which
are
required
by
your
application
and
won't
have
any
api
to
execute
or
invoke
any
other
binary,
which
is,
let's
say,
drop
by
attacker,
and
it
may
not
even
have
the
dependencies
required
for
that
particular
executable.
A
So
this
really
helps
where
attackers
have
to
be
very
crafty
to
execute
any
executable.
If
you
can
go
a
step
further,
you
can
compile
your
binary
for
a
specific
architecture
and
link
it
statically
so
that
there
won't
be.
A
There
will
be
only
one
file
on
your
container,
which
will
be
running
and
there
is
no
way
attacker
can
drop
another
executive
bill
and
invoke
it
if,
if
you
use
this
particular
strategy-
and
this
really
mitigates
any
attack
that
we
have
seen
using
installation
using
shell
scripts
or
root
keys,
that
we
discussed
second
is
use
zero
trust
policies
to
block
access.
It
is
easier
to
block
access,
increase
access
to
couplet
and
docker
api.
A
You
can
just
implement
the
policy
for
that,
but
we
would
want
you
to
go
further
and
implement
zero
targets.
Trust
for
your
not
solved
traffic.
That
is,
that
is
possible
with
respect
to
your
kubernetes
kubernetes
clusters
and
only
white
least
necessary
flows
going
are
coming
inside
and
you
can
implement
that
same
zero.
A
Trust
for
your
east
face
traffic,
so
that
if
attacker
ends
up
compromising
your
container
or
a
particular
service,
he
won't
be
able
to
move
laterally
that
easily
and
third
thing
is
block
access
to
external
dns.
If
you
are
running
a
kubernetes
cluster,
the
only
dns
server
you
should
be
talking
to
is
a
core
dns,
and
with
that
on
the
on
the
right,
you
can
see
that
we
have
particular
solutions
in
blue.
That
is,
if
possible,
log
all
your
l7
traffic
for
or
l7
data
for
your
service.
A
A
They
can
tell
you
if
attacks
the
the
attacker
attacks
seen
by
other
members
of
the
community,
and
you
can
kind
of
if,
if
you
get
compromised
in
the
same
way
that
somebody
else
has
you
would
you
should
be
able
to
detect
that
the
next
thing
is,
you
should
be
enabling
docker
contained
press
on
your
docker
apis
so
that
only
images
signed
by
you
are
running
on
your
docker.
A
So
it
you
won't
be
able
to
run
any
publicly
available.
Docker
images,
not
just
you
attacker,
won't
be
able
to
run
any
publicly
available,
docker
images
from
unknown
sources
because
of
it
and
last
suggestion
is:
have
your
container
isolation
policy
ready.
So
when
you
suspect
a
particular
workload
behaving
suspiciously
or
there
is
an
issue
with
that,
you
can
add
that
particular
label
of
a
policy
to
that
container
and
isolated
right
away,
so
that
you
contain
the
blast
radius
for
the
issue
and
the
useful
projects
are
here
given
by
us.
A
Is
project
calico,
of
course,
to
implement
all
this
zero
trust
that
we
talked
about,
and
there
is
a
really
cool
project.
Pga
intel,
if
you
are
logging,
dns
domains
from
your
core
dns
or
within
the
kubernetes
cluster.
You
can
check
those
domains
against
this
lstm
based
deep
learning
model
to
know
if
it
was
a
dta
or
not,
and
and
that's
about
mitigation
with
respect
to
external
threat
actors
which
are
currently
targeting
kubernetes.