►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
These
attackers
kind
of
try
to
find
the
misconfigured
docker
apis
kubernetes
api
to
access
available
compute
on
the
internet,
and
for
that
this
can
entire
internet
to
see
if
they
they
can
find
anything
and
once
they
find
such
misconfigured
apis,
they
do
do
they
do
get
that
initial
photo.
They
do
privilege
escalation
and
move
laterally,
and
in
some
cases
we
found
they
they
do
exploit
unpatched
cves
so
that
they
they
get
that
initial
foothold
easily.
A
So
with
that,
this
is
the
threat
matrix
for
kubernetes
from
microsoft
and,
as
you
can
see,
there
are
almost
45
techniques
listed
here
and
each
technique
can
be
used
to
compromise.
Your
container
attacker
can
do
privilege.
Escalations
can
can
can
move
laterally
within
your
containers
and
do
the
data
exfiltration
ultimately
using
this
technique.
So
today
we'll
be
focusing
on
these
initial
access
techniques
from
kubernetes
perspective.
A
A
A
And
this
is
just
a
point
in
time.
Just
before
this
webinar,
I
tried
to
see
how
many
docker
apis
are
available
and
how
many
cubelet
instances,
which
is
a
kubernetes
process
running
on
node,
is
exposed
on
internet,
and
I
almost
filed
found
500
entries
for
each
and
palo
alto
did
a
study
a
few
months
back
where
they
almost
found.
50
000
containers
publicly
accessible,
and
we
do
agree
with
that
number.
As
each
kubernetes
cluster
can
run
multiple
containers,
even
the
docker
api
can
run.
A
So
with
that
the
the
interesting
functionality
abuse
is
ld,
preload
ld
preload
is
a
linux
ability
or
linux
functionality
where,
if,
if
you
are
running
any
process
inside
a
linux-
and
you
enable
this
ld
preload
functionality,
the
binary
defined
by
ld
preload
will
be
loaded
into
that
process.
Memory
and-
and
this
will
be
enabled
globally,
so
any
process
you
run,
it
will
be
adding
the
library
or
binary
kind
of
showed
by
this
ldp
preload
parameter.
A
A
A
It's
gonna
give
you
a
list
of
processes
or
list
of
files
on
file
system
right,
so
attacker
will
be
able
to
always
hide
the
files
or
processes
it
wants.
So,
if
administrator
goes
into
a
container
and
does
what
are
the
processes
running
here,
he
won't
be
able
to
see
healthy
guard
processes,
running
or
crypto
mining
mining
processes
run
by
this
particular
malware
and.
A
And
as
we
looked
into
this
closely,
so
they
kind
of
have
all
the
symbols
already
available
inside
the
binary
they
didn't
strip
any.
So
we
were
able
to
look
at
the
code
pretty
easily,
and
here
in
the
red
box,
you
can
see
see
that
they
are
directly
making
a
call
to
a
particular
symbol
to
locate,
read
the
r64
and
and
they
are
able
to
override
the
dr-64
after
that.
Just
to
show
you
how
it
looks
like
so
at
initially
in
this.
A
This
is
a
particular
container
where
we
are
just
running
a
ps
command
and
you
can
see
there
is
a
netcat
process
which
is
running
here
and
after
that
we
just
used
ld,
preload
and
loaded
our
malicious
binary,
which
kind
of
hides
this
netcat
process.
And
after
that
we
did
this
ps
command
and,
as
you
can
see
in
the
output
below,
there
is
no
netcat
binary.
A
So
that's
how
this
particular
technique
works
and
also
team
tnt
used
already
available
part
b
red
teaming
two
and
what
this
tool
does
is
it
can
abuse
c
groups
if
you
have
a
privileged
container.
So
if
team
tnt
ends
up
breaking
into
a
privileged
container,
they
can
basically
abuse
c
group
and
run
the
commands
on
host.
A
Here
we
use
his
body
framework
and
just
did
the
hostname
command
and,
as
you
can
see
in
the
red,
this
is
the
name
of
the
host.
Rather
than
name
of
my
container
and
after
that,
we
in
in
next
red
box,
you
can
see
we
were
able
to
read
the
files
on
the
host
escaping
the
containers,
so
these
threat
actors
kind
of
here
what
we
saw
is
they
used
ready
to
use
third
party
tools
and
integrated
into
their
malware
scripts.
So
for
command
and
control.
A
They
used
teammate
and
irc
as
a
cd
startups
and
as
we
talked,
they
use
ld
preload
technique
using
lead
process,
hider
and
bot
b
and
p
periods
for
container
breakout
and
credential
harvesting
and
for
dns
monitoring
bypass.
They
simply
override
the
adc
host
file
and
they
have
a
lot
of
scripts
to
scan
the
internet
so
that
they
could
expand
their
presence
once
they
compromised
your
infrastructure
and
the
intent
seemed
to
be
the
same
as
we
discussed
earlier,
a
monero
coin
mining.
A
So
this
is
the
these:
are
the
basic
capabilities
of
this
particular
thread
actors?
So,
let's
move
on
to
next
one.
This
is
skincing,
so
kinzing
targeted
the
docker
api
and
we
didn't
see
that
kingston
upgraded
and
targeted
kubernetes
api,
but
it
used
another
interesting
technique
where
it
kind
of
uploaded
its
images
to
public
infrastructure
that
is
docker
repository
and
and
users.
I
think
at
some
point
there
were
millions
of
users
which
were
pulling
down
images
uploaded
by
them,
and
this
this
is
in.
A
So
when
we
looked
at
this
particular
malware's
root
kit
closely,
it
was
similar
to
tim
tnt's.
They
use
dynamically
linked
binary
to
target
as
many
flavors
of
linux
and
architectures,
and
this
is
comparatively
advanced.
As
you
can
see
on
the
right,
there
are
number
of
functions
this
particular
malware
embedded
inside
their
rootkit
and
all
these
functions
they
could
do.
A
They
could
hide
process,
name,
tcp,
ports,
directory
names
and
file
names,
so
they
were
not
limited
to
process
names,
as
we
seen
earlier,
and
the
techniques
were
same
that
we
discussed
and
deep
reload
to
hook.
This
particular
system
calls,
and
additionally,
these
guys
use
encryption
to
hide
their
hide
their
modules,
and
this
is
a
simple
xr
encryption.
A
So
this
is
one
of
the
image
which
was
uploaded
by
kensing
operators,
and
this
is
this
is
the
this
is.
This
picture
is
shown
offered
two
cord
die
which
can
read
the
container
images
and
each
layers
and
show
what
were
the
changes
in
each
layer
and,
as
you
can
see,
it
has
a
monero
coin
miner,
which
is
being
downloaded
here
in
this
particular
layer,
and
this
particular
image
had
over
million
hit
when
we
kind
of
got
this
particular
image.
So
almost
a
million
compromises
very,
very
dram.
A
The
the
reason
to
mention
this
because
it
uses
a
domain
generation
algorithm
to
contact,
though
this
is
not
a
new
technique,
but
they
used
a
really
novel
djsc
in
their
operation
and
they
use
the
dodge
coin.
Api
and
dodge
coin
is,
you
may
be
familiar
with
this?
This
is
a
popular
cryptocurrency
cryptocurrency,
which
is
available
on
the
internet.
A
Like
dot
com,
depending
on
a
day
of
the
week
or
month
of
the
year
and
and
query
that
particular
domain
and
interesting
thing
is
malware,
which
is
running
inside
your
compromised
container.
An
attacker
would
be
able
to
generate
same
disk
and
what
attacker
needs
to
do
is
just
go
ahead
and
register
one
of
one
of
the
domains
from
there
and
malware
eventually
will
be
able
to
query
and
contact
to
that
particular
domain.
A
And
here
attackers
use
the
dodge
coin
wallet,
so
they
pre
built
a
wallet
address
inside
inside
this
doki
bag
door
and
what
they
used
as
a
seed
was
last
money
spent
by
attacker.
So
whatever
the
last
transaction
amount
was
that
was
used
as
a
seat
for
this
particular
algorithm
and,
as
you
can
see
on
the
right,
this
is
the
dodge
point
function
that
they
implemented
where
they
queried
and
called
the
the
last
money
sent
by
attacker.
A
A
There
will
be
only
one
file
on
your
container,
which
will
be
running
and
there
is
no
way
attacker
can
drop
another
executive
bill
and
invoke
it
if,
if
you
use
this
particular
strategy-
and
this
really
mitigates
any
attack
that
we
have
seen
using
installation
using
shell
scripts
or
root
keys,
that
we
discussed
second
is
use
zero
trust
policies
to
block
access.
It
is
easier
to
block
access,
increase
access
to
couplet
and
docker
api.
A
You
can
just
implement
the
policy
for
that,
but
we
would
want
you
to
go
further
and
implement
zero
targets.
Trust
for
your
not
solved
traffic.
That
is,
that
is
possible
with
respect
to
your
kubernetes
kubernetes
clusters
and
only
white
least
necessary
flows
going
are
coming
inside
and
you
can
implement
that
same
zero.
A
Trust
for
your
east
face
traffic,
so
that
if
attacker
ends
up
compromising
your
container
or
a
particular
service,
he
won't
be
able
to
move
laterally
that
easily
and
third
thing
is
block
access
to
external
dns.
If
you
are
running
a
kubernetes
cluster,
the
only
dns
server
you
should
be
talking
to
is
a
core
dns,
and
with
that
on
the
on
the
right,
you
can
see
that
we
have
particular
solutions
in
blue.
That
is,
if
possible,
log
all
your
l7
traffic
for
or
l7
data
for
your
service.
A
So
it
you
won't
be
able
to
run
any
publicly
available.
Docker
images,
not
just
you
attacker,
won't
be
able
to
run
any
publicly
available,
docker
images
from
unknown
sources
because
of
it
and
last
suggestion
is:
have
your
container
isolation
policy
ready.
So
when
you
suspect
a
particular
workload
behaving
suspiciously
or
there
is
an
issue
with
that,
you
can
add
that
particular
label
of
a
policy
to
that
container
and
isolated
right
away,
so
that
you
contain
the
blast
radius
for
the
issue
and
the
useful
projects
are
here
given
by
us.
A
Is
project
calico,
of
course,
to
implement
all
this
zero
trust
that
we
talked
about,
and
there
is
a
really
cool
project.
Pga
intel,
if
you
are
logging,
dns
domains
from
your
core
dns
or
within
the
kubernetes
cluster.
You
can
check
those
domains
against
this
lstm
based
deep
learning
model
to
know
if
it
was
a
dta
or
not,
and
and
that's
about
mitigation
with
respect
to
external
threat
actors
which
are
currently
targeting
kubernetes.