The Gafgyt malware attack begins with the exploitation of misconfigured Docker Remote API servers, allowing attackers to gain initial access and deploy malicious containers. BlueRock's Container Capability Control effectively mitigates this step by ensuring that only containers with specified capabilities are permitted to run, thereby preventing the deployment of unauthorized or malicious containers like those used in the Gafgyt attack. Once the container is deployed, the attacker attempts to escalate privileges by using 'chroot' and 'bind' to mount the host's root directory, potentially gaining control over the host system. BlueRock's Container Runtime Socket Protection (Available 2024 Dec) further secures this environment by restricting container capabilities, thus preventing unauthorized access to the host's filesystem and thwarting privilege escalation attempts. These mechanisms collectively ensure that the deployment and execution of malicious containers are effectively controlled and monitored, significantly reducing the risk of such attacks.

• T1133: External Remote Services: The attackers targeted misconfigured Docker Remote API servers to spread the Gafgyt malware. This indicates that the attackers gained initial access through exploiting external remote services that were improperly secured, allowing them to connect to and manipulate these services remotely.
• T1610: Deploy Container: The attackers deployed the Gafgyt malware by creating a Docker container using a legitimate 'alpine' docker image. This shows the use of the 'Deploy Container' technique, where the attacker utilizes containerization to execute their malicious payload.
• T1611: Escape to Host: The article mentions that the attacker used 'chroot' and 'Binds' to mount the host's root directory to the /mnt directory inside the container. This allowed the container to access and modify the host's filesystem, representing a privilege escalation through escaping the container to the host.
• T1059.004: Command and Scripting Interpreter: Unix Shell: The attackers downloaded the Gafgyt botnet binary as a file named 'rbot' and executed it. This action is an example of using a command and scripting interpreter, specifically a Unix shell, to execute commands on the compromised system.
• T1105: Ingress Tool Transfer: The article describes the attacker downloading the Gafgyt botnet binary from a remote location to the Docker container. This process involves transferring tools or payloads into a compromised environment, aligning with the 'Ingress Tool Transfer' technique.
• T1071: Application Layer Protocol: The Gafgyt malware communicates with a command-and-control server using hardcoded IP addresses and ports. This is indicative of the 'Application Layer Protocol' technique, where malware uses standard protocols to communicate with its C2 infrastructure.
• T1016: System Network Configuration Discovery: The Gafgyt malware performs a network discovery action by determining the local IP address of the victim host using Google's DNS server. This aligns with the 'System Network Configuration Discovery' technique, where the malware gathers information about the network interfaces and configurations.
• T1498: Network Denial of Service: The primary impact of the Gafgyt malware deployment is launching distributed denial-of-service (DDoS) attacks using various protocols like UDP, TCP, and HTTP. This represents the 'Network Denial of Service' technique, where the goal is to disrupt the availability of targeted systems or networks.

In the Earth Estries cyber intrusion campaign, the attackers initially exploited public-facing server vulnerabilities to gain access to Linux servers, deploying the MASOL RAT for persistent access. Once inside, they utilized the MASOL RAT to maintain a foothold within the compromised systems, targeting Southeast Asian government networks. BlueRock's Container Drift Protection (Binaries & Scripts) effectively mitigates this threat by ensuring that only authorized binaries and scripts from the original container image are allowed to execute. This mechanism prevents unauthorized modifications to system processes, thereby blocking the execution of malicious payloads like MASOL RAT, and maintaining the integrity of the server environment.

• T1190: Exploit Public-Facing Application: The Earth Estries group exploits public-facing server vulnerabilities to establish initial access. The article specifically mentions 'Earth Estries is aggressively targeting the public-facing servers of victims' and lists vulnerabilities like Ivanti Connect Secure VPN Exploitation, Fortinet FortiClient EMS SQL Injection, and ProxyLogon. This aligns with the MITRE ATT&CK technique for Exploit Public-Facing Application (T1190).
• T1021: Remote Services: After gaining initial access, the attackers used living-off-the-land binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement within networks. This is described in the article as 'After gaining control of the vulnerable server, we observed that the attackers leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe for lateral movement.' This corresponds to the MITRE ATT&CK technique for Lateral Movement via Remote Services (T1021).
• T1071: Application Layer Protocol: The Earth Estries group deploys malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER for espionage. The article mentions 'deployed customized malware such as SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities.' This indicates the use of malware to maintain persistence and conduct operations, aligning with the MITRE ATT&CK technique for Command and Control via Application Layer Protocol (T1071).
• T1090.003: Proxy: Multi-hop Proxy: The attackers used a complex C&C infrastructure, which suggests sophisticated Command and Control operations. The article notes 'Earth Estries uses a complex C&C infrastructure managed by different teams,' which aligns with the MITRE ATT&CK technique for Multi-hop Proxy (T1090.003).
• T1014: Rootkit: The use of the DEMODEX rootkit by Earth Estries for long-term persistence is highlighted in the article: 'We found that they implanted the DEMODEX rootkit on vendor machines.' This corresponds to the MITRE ATT&CK technique for Rootkit (T1014).
• T1505.002: Server Software Component: Transport Agent: The Earth Estries group uses backdoors like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT for persistent access. The article describes 'A key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER,' indicating the use of backdoors for persistence, aligning with the MITRE ATT&CK technique for Implant Internal Image (T1505.002).
• T1574.001: Hijack Execution Flow: DLL Search Order Hijacking: The attackers use 'DLL search order hijacking' as part of their GHOSTSPIDER infection flow, as noted in 'On the infected endpoint, the threat actor deploys a legitimate executable file alongside a malicious DLL file for DLL search order hijacking.' This aligns with the MITRE ATT&CK technique for Hijack Execution Flow: DLL Search Order Hijacking (T1574.001).
• T1059.001: Command and Scripting Interpreter: PowerShell: The attackers' use of PowerShell scripts for initial infection is described in the article: 'the attackers used another variant of DEMODEX... the first-stage PowerShell script requires a decryption key as an argument.' This corresponds to the MITRE ATT&CK technique for Scripting (T1059.001).

In the attack described, the vulnerability CVE-2024-47208 in Apache OFBiz allows attackers to exploit Groovy expressions through URL manipulation, leading to remote code execution. This is achieved by combining Server-Side Request Forgery (SSRF) and Code Injection flaws, enabling attackers to execute arbitrary code on the server. BlueRock's Container Memory Namespace Isolation mechanism effectively mitigates this threat by ensuring that the physical memory used by user-space applications is strongly isolated. This isolation prevents applications in one namespace from accessing memory in another, thereby thwarting any attempts at privilege escalation that could arise from such code execution vulnerabilities.

• T1203: Exploitation for Client Execution: The article describes how CVE-2024-47208 allows attackers to inject Groovy expressions through manipulated URLs, leading to remote code execution. This indicates the use of 'Exploitation for Client Execution' as attackers are exploiting the vulnerability to execute arbitrary code on the server. The relevant text is: 'This vulnerability stems from OFBiz’s handling of URLs, which allows remote attackers to inject Groovy expressions. By manipulating specific URLs, malicious actors can trigger the execution of arbitrary code on the server.'
• T1189: Drive-by Compromise: The article also mentions that CVE-2024-47208 involves a combination of Server-Side Request Forgery (SSRF) and Code Injection. SSRF is being used to access internal systems and services by exploiting how the server processes URLs. The relevant text is: 'This vulnerability arises from a combination of Server-Side Request Forgery (SSRF) and Code Injection flaws.'
• T1649: Steal or Forge Authentication Certificates: For CVE-2024-48962, the article explains that attackers can bypass SameSite protections to conduct Cross-Site Request Forgery (CSRF) attacks. This indicates the use of 'Cross-Site Request Forgery' where attackers craft malicious requests that appear to originate from the victim’s browser. The relevant text is: 'By exploiting this flaw, attackers can craft malicious requests that appear to originate from the victim’s browser, potentially leading to unauthorized actions and data breaches.'
• T1221: Template Injection: The article also mentions improper neutralization of special elements within OFBiz’s template engine as part of CVE-2024-48962. This points to 'Template Injection' where attackers inject malicious code into templates. The relevant text is: 'This vulnerability involves a combination of Code Injection, CSRF, and improper neutralization of special elements within OFBiz’s template engine.'

‍

The attacker began by exploiting exposed Docker daemons (T1190) using a script called "Docker Gatling Gun," deploying a container with malicious commands (T1059). Container Drift Protection (Binaries & Scripts) prevents the execution of unauthorized binaries and scripts, thus mitigating the deployment of the malicious container. Subsequently, the attacker used Sliver malware (T1211) for command and control (T1071.004, T1090), and to execute further commands (T1059). Container Drift Protection (Binaries & Scripts) again plays a crucial role by preventing the execution of any unauthorized binaries or scripts introduced by the malware. Finally, the attacker leveraged compromised Docker instances in a Docker Swarm (T1578.002) for persistence and to hijack resources (T1496) for cryptomining.

• T1190: Exploit Public-Facing Application: The attack gains initial access by exploiting exposed Docker daemons on ports 2375, 2376, 4243, and 4244. This is a well-known technique used to compromise systems that have publicly accessible services.
• T1059: Command and Scripting Interpreter: The initial script, TDGGinit.sh, is executed on compromised systems to launch subsequent malicious actions.
• T1578.002: Modify Cloud Compute Infrastructure: Create Cloud Instance: TeamTNT appends compromised Docker instances to a Docker Swarm, allowing them to persist in the environment as part of a larger cluster, ensuring continued access and control.
• T1211: Exploitation for Defense Evasion: TeamTNT uses Sliver malware, which replaces their previous Tsunami malware. Sliver is harder to detect and evades traditional detection methods by dynamically compiling with per-binary encryption keys.
• T1036: Masquerading: TeamTNT uses names like Chimaera and other familiar naming conventions to evade detection by masquerading as legitimate processes or infrastructure.
• T1014: Rootkit: We found the prochider rootkit ready to deploy in TeamTNT’s download server. They are known to use this in the past.
• T1552: Unsecured Credentials: TeamTNT deploys local searches for keys and credentials, such as SSH, cloud metadata server calls, etc., once they gain access.
• T1046: Network Service Discovery: TeamTNT uses tools like Masscan to aggressively scan the internet for exposed Docker daemons and other vulnerable systems, identifying additional targets.
• T1018: Remote System Discovery: The campaign involves local network scanning to find additional systems that can be compromised.
• T1102.001: Web Service: Dead Drop Resolver: TeamTNT uses Docker Hub and web servers as part of their infrastructure to store and distribute malware and to manage infected systems.
• T1071.004: Application Layer Protocol: DNS: TeamTNT’s use of Sliver malware supports DNS for Command and Control (C2) communication, in addition to HTTP(S) and mTLS.
• T1090: Proxy: Sliver supports WireGuard and other proxy techniques to tunnel C2 communications through legitimate channels, bypassing detection.
• T1496: Resource Hijacking: Running a cryptominer as part of the campaign or selling the computational power of their victims.

‍

The attack on exposed Docker Remote API servers began with the attackers probing for these vulnerable services, which allowed them to gain initial access. BlueRock's Container Capability Control effectively mitigates this step by securing external-facing remote services, preventing unauthorized access. Once access was gained, the attackers deployed a Docker container using a specific image, and executed a Base64 encoded payload. The payload attempted to escape the container using the 'nsenter' command to access the host's namespaces. BlueRock's Namespace Execution Guard is designed to prevent such container escape attempts, ensuring that even if a container is compromised, the host remains secure. These mechanisms collectively enhance the security posture against such sophisticated attacks by controlling container capabilities and preventing unauthorized namespace execution.

• T1133: External Remote Services: The attackers began their campaign by probing for exposed Docker Remote API servers. This technique is consistent with leveraging exposed remote services to gain initial access.
• T1610: Deploy Container: Once the attackers confirmed the presence of the Docker Remote API server, they created a Docker container using a specific image from Docker Hub. This technique involves deploying a container to execute further actions.
• T1059.004: Command and Scripting Interpreter: Unix Shell: After creating the Docker container, the attackers executed a Base64 encoded payload using the Docker Exec API. This technique involves using a command and scripting interpreter to execute malicious commands.
• T1611: Escape to Host: The payload attempted to escape the container by using the 'nsenter' command to enter the host's namespaces, which is indicative of a container escape technique.
• T1543.002: Create or Modify System Process: Systemd Service: The attackers created a systemd service for persistence if systemd was running in non-offline mode. This technique involves creating or modifying system processes to maintain persistence.
• T1053.003: Scheduled Task/Job: Cron: As a fallback persistence mechanism, the attackers set up a cron job, which is another method of maintaining persistence through scheduled tasks.
• T1036.005: Masquerading: Match Legitimate Name or Location: To avoid detection, the attackers named the container 'kube-edagent' to masquerade as a legitimate container, matching legitimate names or locations.
• T1082: System Information Discovery: The attackers gathered system information by checking for multiple running processes and active TCP connections, which is indicative of system information discovery.
• T1132.001: Data Encoding: Standard Encoding: The payload included a Base64 encoded shell script, which is a form of standard data encoding used to obfuscate the malicious commands.
• T1105: Ingress Tool Transfer: The attackers downloaded a malicious binary disguised as a PHP extension using a custom function, which is consistent with ingress tool transfer.

‍

The attack on CVE-2023-52447 begins with the exploitation of a use-after-free vulnerability in the Linux kernel's BPF subsystem, which is leveraged to orchestrate a race condition between two threads. This allows the attacker to modify kernel data structures, such as 'core_pattern', to achieve container escape. BlueRock's Core Pattern String Protection effectively mitigates this step by safeguarding the 'core_pattern' data structure from unauthorized modifications, thereby preventing the attacker from altering it to escape the container environment. This mechanism ensures that even if the vulnerability is exploited, the critical kernel data structures remain protected, maintaining the integrity of the container isolation.

• T1068: Exploitation for Privilege Escalation: The article describes a use-after-free vulnerability in the Linux kernel’s BPF subsystem, which can be exploited by orchestrating a race condition between two threads. This falls under the category of 'Exploitation for Privilege Escalation' as the attacker leverages the vulnerability to escape container isolation.
• T1190: Exploit Public-Facing Application: The article mentions that the PoC exploit is available on GitHub, which implies that the attackers could potentially use publicly available exploit code to achieve their objectives. This aligns with 'Exploit Public-Facing Application' where the attacker uses an existing exploit.
• T1611: Escape to Host: The vulnerability allows an attacker to modify kernel data structures, such as 'core_pattern', to achieve container escape. This involves manipulating the underlying system to gain higher privileges or escape restricted environments, which fits 'Escape to Host' technique.

‍

The attack initiated with the exploitation of a vulnerability in RocketMQ, allowing unauthorized command execution to gain initial access. BlueRock's Container Drift Protection (Binaries & Scripts) effectively mitigates this by preventing unauthorized executables and scripts from running, ensuring that only pre-approved binaries are executed. Once inside, the malware downloaded its main payload, which was then copied to a new location in the '/tmp' directory, a behavior characteristic of process masquerading. BlueRock's Linux/Host Drift Protection would detect such unauthorized changes to the system's file structure, alerting administrators to potential threats. The malware also employed rootkits to hide its presence and maintain persistence. BlueRock's Reverse Shell Protection prevents unauthorized attempts to bind shell input and output streams to network sockets, thereby blocking the malware's efforts to establish a backdoor for remote access. By leveraging these mechanisms, BlueRock provides comprehensive protection against the sophisticated tactics employed by the perfctl malware, ensuring system integrity and security.

• T1190: Exploit Public-Facing Application: The attack began with the exploitation of a vulnerability in RocketMQ (CVE-2023-33246), which allowed unauthorized command execution. This facilitated the initial access to the system.
• T1105: Ingress Tool Transfer: The malware then downloaded the main payload from an HTTP server controlled by the attacker, which is indicative of the use of a malicious download for initial infection.
• T1055.012: Process Injection: Process Hollowing: After downloading, the malware copied itself from memory to a new location in the '/tmp' directory, terminated the original process, and deleted the initial binary to cover its tracks. This behavior is characteristic of process injection and process masquerading.
• T1014: Rootkit: The malware employed rootkits to hide its presence, modifying the behavior of authentication mechanisms and preventing the recording of network traffic. This indicates the use of kernel module and user land rootkits.
• T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: To maintain persistence, the malware modified the ~/.profile script to execute itself during user login and copied itself to multiple locations with deceptive names.
• T1573.001: Encrypted Channel: Symmetric Cryptography: The malware utilized a Unix socket for internal communication and TOR for external communication, indicating the use of encrypted channels to evade network defenses.
• T1068: Exploitation for Privilege Escalation: For privilege escalation, the malware attempted to exploit the Polkit vulnerability (CVE-2021-4034).
• T1496: Resource Hijacking: The malware dropped a cryptominer and proxy-jacking software, indicating resource hijacking and unauthorized use of system resources.
• T1219: Remote Access Software: The malware opened a backdoor on the server and listened for TOR communications, which is indicative of the creation of a remote access tool (RAT).
• T1070.004: Indicator Removal: File Deletion: The malware deleted its binary after execution to avoid detection, which is a technique for defense evasion.
• T1071.001: Application Layer Protocol: Web Protocols: The malware used environment variables to store data that further affected its execution and behavior, showing an attempt to maintain persistence and evade detection.
• T1562.001: Impair Defenses: Disable or Modify Tools: The malware employed various methods to detect and terminate any competing malware, ensuring it maintained control over the infected system.
• T1027: Obfuscated Files or Information: The attacker utilized packed, stripped, and encrypted binaries to bypass defense mechanisms and hinder reverse engineering attempts.
• T1562.001: Impair Defenses: Disable or Modify Tools: The malware monitored for new user logins and suspended its activity to avoid detection, indicating the use of evasion techniques based on user activity.

‍

The attacker begins by exploiting the vulnerability in the nft_set_rbtree function of the Linux kernel, sending a specially crafted request to trigger a use-after-free condition. Following this, the attacker leverages the use-after-free condition to escalate privileges by modifying process credentials. BlueRock's Process Credential Protection is crucial here, as it prevents unauthorized privilege escalation by blocking attempts to overwrite process credentials with high-privileged values. Without BlueRock, the attacker attempts to gain full control over the system by chaining the initial exploit with subsequent attacks.

• T1190: Exploit Public-Facing Application: The attacker begins by exploiting a vulnerability within the Linux kernel, specifically targeting the nft_set_rbtree function. This function is responsible for managing sets in nftables. The vulnerability allows local authenticated attackers to obtain sensitive information by sending a specially crafted request. This corresponds to the technique of Exploiting Public-Facing Application.
• T1068: Exploitation for Privilege Escalation: Once the attacker has successfully triggered the vulnerability, they exploit the use-after-free condition in the nft_rbtree_gc_elem function. This condition occurs because the function lacks a crucial check, leading to memory that has been deallocated being inadvertently accessed. This can be classified under Exploitation for Privilege Escalation.
• T1005: Data from Local System: The attacker leverages the leaked information from the initial exploit to craft further attacks. By inserting a set element with specific flags and triggering an error condition, they cause a double deletion of a set element. This is a classic example of leveraging information disclosure to further exploit a system, aligning with Data from Local System.
• T1078: Valid Accounts: The attacker then escalates their privileges to root level by chaining the initial exploit with subsequent attacks. This allows them to gain full control over the affected system, fitting the technique of Privilege Escalation.

‍

The sedexp malware begins its attack by exploiting udev rules to maintain persistence on a Linux system. This allows the malware to execute malicious scripts whenever specific device events occur, such as when the /dev/random device is loaded. BlueRock's Container Drift Protection (Binaries & Scripts) can mitigate this by preventing unauthorized executables and scripts from running, ensuring that only binaries present in the original container image are executed. The malware also provides reverse shell capabilities, allowing attackers to maintain control over the compromised system. BlueRock's Reverse Shell Protection effectively counters this by blocking unauthorized attempts to bind shell input and output streams to network sockets, thus preventing reverse shell attacks. Additionally, the malware's potential to escape from a containerized environment is mitigated by BlueRock's Container Capability Control, which restricts container capabilities to prevent actions that could lead to container escapes, such as mounting the host filesystem or executing privileged commands. These mechanisms collectively enhance the security posture against the sophisticated tactics employed by sedexp.

• T1547.010: Boot or Logon Autostart Execution: Port Monitors: The initial compromise of the system is not explicitly described, but the article implies that the malware was able to get onto the system. This could have been through various means, but since it's not detailed, we start with the first clear technique: the malware achieving persistence through udev rules. 'Sedexp utilizes udev rules to maintain persistence.'
• T1053.005: Scheduled Task/Job: Scheduled Task: The udev rule ensures that the malware is run whenever /dev/random is loaded, which happens on every system reboot. 'This rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness.'
• T1219: Remote Access Software: The malware includes a reverse shell capability, allowing the attacker to maintain control over the compromised system. 'Reverse Shell Capability: It includes a reverse shell, allowing the threat actor to maintain control over the compromised system.'
• T1564.001: Hide Artifacts: Hidden Files and Directories: The malware modifies memory to hide any file containing the string 'sedexp' from commands like ls or find. 'Memory Modification for Stealth: The malware modifies memory to hide any file containing the string "sedexp" from commands like ls or find.'
• T1036.004: Masquerading: Masquerade Task or Service: The malware manipulates arguments to obfuscate its presence and changes the process name to blend in with legitimate system processes. 'Memory Allocation and Argument Handling: The malware manipulates arguments to obfuscate its presence. It changes the process name to kdevtmpfs using prctl to blend in with legitimate system processes.'
• T1547.010: Boot or Logon Autostart Execution: Port Monitors: The malware sets up persistence by copying itself to a specific location and creating a udev rule. 'Persistence Setup: The malware sets up persistence by copying itself to a specific location and creating a udev rule.'
• T1110.001: Brute Force: Password Guessing: The malware was used to hide credit card scraping code on a webserver, indicating a focus on financial gain. 'Credit Card Scraping: The malware was used to hide credit card scraping code on a webserver, indicating a focus on financial gain.'
• T1611: Escape to Host: The malware could theoretically be used to escape outside of a containerized workload.

‍

The Gafgyt malware variant begins its attack by brute-forcing weak SSH passwords to gain initial access to target machines. BlueRock's SSH Deep Auth & SSH Least Privilege mechanism effectively mitigates this step by enforcing strong authentication practices and limiting SSH access to only necessary users, thereby reducing the attack surface. Once access is gained, the attacker executes shell commands to prepare the server for further exploitation. Here, BlueRock's Container Drift Protection (Binaries & Scripts) comes into play by preventing unauthorized executables and scripts from running, thus blocking the execution of malicious binaries that are not part of the original container image. This mechanism ensures that any attempt to execute unauthorized code is thwarted, protecting the system from further compromise.

• T1110.001: Brute Force: Password Guessing: The attacker initially gained access to the target machine by brute forcing SSH credentials, which were weak. This is evident from the statement: 'In this attack we see a successful brute force attempt on our SSH honeypot which is configured with a very weak password.'
• T1059.004: Command and Scripting Interpreter: Unix Shell: Once access was gained, the attacker executed shell commands to inspect and prepare the server. This is shown in the article: 'Once access is gained a few commands to inspect and prepare the server are executed.'
• T1082: System Information Discovery: The attacker conducted system discovery to check if the machine was already infected and to identify any competing malware. This is highlighted by: 'A few checks are conducted mainly to determine if the machine has already been infected by this variant of Gafgyt and to check if another malware is running and if so to kill it.'
• T1055.001: Process Injection: Dynamic-link Library Injection: The attacker used two binaries that were executed in memory to avoid detection, as indicated by: 'Next the two binaries are executed in memory.'
• T1496: Resource Hijacking: The attacker executed a cryptomining operation using the XMRIG cryptominer, as described: 'Executing the cryptominer: Figure 4: Executing the XMRIG cryptominer.'
• T1490: Inhibit System Recovery: The attacker modified system configurations to optimize performance and security, such as altering the /etc/sysctl.conf file. This is noted in: 'Configuration alteration: Figure 6: Modifying configurations /etc/sysctl.conf.'
• T1070.003: Indicator Removal: Clear Command History: The attacker deleted history and log files to evade detection, as indicated by: 'Lastly history and logs files are deleted to evade detection.'
• T1036.005: Masquerading: Match Legitimate Name or Location: The attacker used masquerading techniques to make their binaries appear as legitimate system components, as noted: 'The names of these binaries indicate that the threat actors are putting emphasis on defense evasion as these names are masquerading as legitimate components related to the Linux operating system environment.'
• T1105: Ingress Tool Transfer: The attacker downloaded a brute force configuration file from a command and control (C2) server, as shown: 'The function backgroundlogic in the malware is set to download from the threat actor’s server (at 107.189.5.210) the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords.'

‍

The attack on the Argo CD Kubernetes controller begins with the exploitation of elevated permissions, allowing the attacker to manipulate the Redis caching server, which lacks password protection. This manipulation enables the attacker to alter application state manifests and trick Argo CD into accepting malicious updates. As the attacker deploys malicious pods with high privileges, BlueRock's Container Capability Control mechanism ensures that only containers with specified capabilities are allowed to run, effectively preventing the deployment of these potentially harmful containers. Furthermore, the attacker attempts to execute code on the host node by deploying a privileged pod. Here, BlueRock's Reverse Shell Protection mechanism comes into play by preventing unauthorized attempts to bind shell input and output streams to network sockets, thereby mitigating the risk of reverse shell attacks. These mechanisms collectively safeguard the Kubernetes environment from unauthorized container deployments and malicious script executions, maintaining the integrity and security of the cluster.

• T1068: Exploitation for Privilege Escalation: The article mentions that the attacker exploits the elevated permissions of the Argo CD server to escalate their privileges and potentially take control of the Kubernetes cluster. This indicates the use of privilege escalation techniques.
• T1600.001: Weaken Encryption: Reduce Key Space: The attacker manipulates the data stored in Argo CD’s Redis caching server, which lacks password protection. This involves altering application state manifests stored in the Redis server to exploit the system. This describes a manipulation of application state and configuration data.
• T1059: Command and Scripting Interpreter: The attacker uses the Argo CD server’s elevated permissions to deploy malicious pods with high privileges, which can execute code on the host node and access sensitive information. This demonstrates the use of deploying malicious code or scripts.
• T1114.002: Email Collection: Remote Email Collection: The attacker recalculates the hash for the manipulated manifest without a secret key, allowing them to modify the manifest data and present it as legitimate. This is indicative of the use of hashing algorithms to bypass integrity checks.
• T1610: Deploy Container: The attacker creates a low-privilege pod in another namespace to simulate a compromised pod within the cluster. This is a form of creating and using a container for malicious purposes.
• T1560.002: Archive Collected Data: Archive via Library: The attacker uses a Go program to decompress gzipped contents in the Redis server to uncover cached information about the applications managed by Argo CD, including their manifests and details about the Kubernetes cluster. This involves extracting and analyzing compressed data.
• T1057: Process Discovery: The attacker uses Redis profiler to observe interactions between pods and the Redis server to understand how application behavior is affected. This is a form of gathering information through monitoring and profiling.
• T1535: Unused/Unsupported Cloud Regions: The attacker modifies the application manifest in Redis and successfully deploys a privileged pod, which allows them to escalate privileges and execute code on the host node. This involves the manipulation of cloud infrastructure.
• T1021.004: Remote Services: SSH: The attacker adds their public SSH key to the node’s authorized keys, allowing them to connect to the node with an SSH shell. This is indicative of the use of SSH for remote access.

‍

In the attack described, the adversaries began by uploading a malicious PyTorch model to Hugging Face's platform, exploiting the unsafe Pickle format to execute arbitrary code. This step was effectively mitigated by BlueRock's Reverse Shell Protection, which prevents unauthorized attempts to bind shell input and output streams to network sockets, thereby blocking reverse shell attacks initiated by the malicious model. Following this, the attackers escalated their privileges by querying the node’s IMDS, obtaining the role of a Node inside the EKS cluster. BlueRock's Cloud IMDS Firewall (AWS) would have mitigated this step by restricting access to the Instance Metadata Service, preventing the attackers from exploiting cloud instance metadata for privilege escalation. These mechanisms together provide a robust defense against the described attack vectors, ensuring that malicious code execution and unauthorized privilege escalation are effectively thwarted.

• T1204.002: User Execution: Malicious File: The article mentions that Wiz Research was able to compromise the service running the custom models by uploading their own malicious model and leveraging container escape techniques to break out from their tenant and compromise the entire service. This implies the use of 'User Execution: Malicious File' as the attackers uploaded a specially crafted malicious file (the model) to achieve their goals.
• T1059: Command and Scripting Interpreter: The article explains that the malicious model could contain a remote code execution payload, potentially granting the attacker escalated privileges and cross-tenant access to other customers' models. This indicates the use of 'Execution: Command and Scripting Interpreter' as the attackers used the Pickle format to execute arbitrary code.
• T1210: Exploitation of Remote Services: Wiz Research was able to gain cross-tenant access to other customers' models stored and run in Hugging Face. This demonstrates the use of 'Lateral Movement: Exploitation of Remote Services' as the attackers moved laterally within the environment by exploiting the shared infrastructure.
• T1195: Supply Chain Compromise: The attackers used a specially crafted Pickle file to achieve remote code execution upon deserialization of untrusted data. This represents 'Initial Access: Supply Chain Compromise' as the attackers compromised the supply chain by injecting malicious code into the AI models.
• T1552.005: Unsecured Credentials: Cloud Instance Metadata API: After gaining initial access, the attackers escalated their privileges by querying the node’s IMDS and obtaining the role of a Node inside the EKS cluster. This corresponds to 'Privilege Escalation: Cloud Instance Metadata API' as they used the cloud instance metadata API to escalate privileges.
• T1526: Cloud Service Discovery: The article describes how the attackers listed all pods in the cluster with their new token, which shows 'Discovery: Cloud Service Discovery' as they enumerated cloud resources to understand the environment.
• T1552: Unsecured Credentials: The attackers were able to obtain secrets associated with their pod, enabling lateral movement within the EKS cluster. This indicates 'Credential Access: Unsecured Credentials' as they accessed sensitive credentials stored within the environment.
• T1609: Container Administration Command: The attackers used a Dockerfile with a malicious payload to gain code execution in the Hugging Face Spaces service. This is an example of 'Execution: Container Administration Command' as they used container commands to execute their payload.
• T1610: Deploy Container: The article describes how the attackers exploited a network isolation issue to write to the centralized container registry, indicating 'Persistence: Container Image' as they manipulated container images to maintain access.

‍

The "Leaky Vessels" vulnerabilities in Docker and runc allow attackers to escape from containers and gain unauthorized access to the host operating system. This is achieved through a container breakout technique, exploiting vulnerabilities in the container runtime. BlueRock's Container Capability Control effectively mitigates this threat by controlling the capabilities assigned to containers, thereby reducing the risk of unauthorized access to the host. Additionally, the exploitation of the runc vulnerability involves using a malicious image or Dockerfile to achieve privilege escalation. BlueRock's Container Runtime Drift Protection (Available 2024 Dec) provides protection against unauthorized changes to the container runtime environment, ensuring that the runtime state remains consistent with the expected configuration, thus preventing privilege escalation attempts. These mechanisms collectively help secure container environments against such vulnerabilities.

• T1611: Escape to Host: The article describes how the vulnerabilities, dubbed 'Leaky Vessels', allow an attacker to escape from a Docker container to the underlying host operating system. This indicates the use of a container breakout technique, specifically exploiting a vulnerability in the container runtime.
• T1068: Exploitation for Privilege Escalation: The exploitation of the runc vulnerability (CVE-2024-21626) involves the use of a malicious image or Dockerfile to achieve the container escape. This demonstrates the use of 'Exploitation for Privilege Escalation' as the attacker exploits the vulnerability to gain elevated privileges on the host.
• T1195: Supply Chain Compromise: The article mentions that the vulnerabilities can be exploited by running a malicious image or by building a container image using a malicious Dockerfile. This indicates the use of 'Supply Chain Compromise' to introduce the malicious Dockerfile or image into the build process.
• T1584.002: Compromise Infrastructure: DNS Server: The exploitation process involves building a container image using a malicious Dockerfile or upstream image, which suggests the use of 'Build Misconfiguration' to exploit the vulnerabilities during the container build process.
• T1005: Data from Local System: Once the attacker has gained access to the underlying host operating system, they could potentially access sensitive data such as credentials and customer information. This indicates the use of 'Data from Local System' to gather sensitive information from the compromised host.
• T1592: Gather Victim Host Information: The article describes how the vulnerabilities were discovered and disclosed responsibly to the relevant parties, indicating a 'Vulnerability Disclosure' process.

‍

The AMBERSQUID cryptojacking operation began with attackers uploading a container image containing cryptomining software to Docker Hub, which evaded static scanning. This step was effectively mitigated by BlueRock's Container Drift Protection (Binaries & Scripts), which prevents unauthorized executables and scripts from running, ensuring that only binaries present in the original container image are executed. The attackers then used compromised AWS credentials to configure their environment and gain access to various AWS services, creating new IAM roles with full access policies. BlueRock's Cloud IMDS Firewall (AWS) could have been instrumental in preventing unauthorized access to AWS metadata services, thereby protecting against the misuse of valid accounts. The operation further involved creating repositories in AWS CodeCommit to store and distribute malicious code, and leveraging AWS Amplify to create web applications that executed cryptomining software. BlueRock's mechanisms ensure that unauthorized code execution is blocked, thus thwarting the attackers' attempts to exploit cloud services for cryptojacking. Finally, the attackers used AWS Elastic Container Service (ECS) and AWS Fargate to run containers executing cryptomining tasks, a step that could be mitigated by BlueRock's comprehensive monitoring and protection of container orchestration services.

• T1202: Indirect Command Execution: The attack begins with the attackers uploading a container image containing cryptomining software to Docker Hub. This image didn't raise alarms during static scanning, indicating the use of techniques to evade detection. The malicious payload only became apparent when the container was run, suggesting the use of Dynamic Analysis Evasion.
• T1078: Valid Accounts: The attackers used compromised AWS credentials to configure their environment and gain access to various AWS services. This is indicative of Valid Accounts, where legitimate credentials are used to access systems and services.
• T1098.003: Account Manipulation: Additional Cloud Roles: The attackers created new IAM roles with full access policies for multiple AWS services like AWSCodeCommit-Role and sugo-role. This shows the use of Create or Modify Cloud Accounts and Permissions to facilitate further malicious activities.
• T1213: Data from Information Repositories: They then created repositories in AWS CodeCommit and used these repositories to store and distribute their malicious code. This aligns with the use of Code Repositories for hosting malicious code.
• T1613: Container and Resource Discovery: They used AWS Elastic Container Service (ECS) and AWS Fargate to run containers that execute cryptomining tasks. This involves the abuse of Container Orchestration Services.
• T1611: Escape to Host: AWS CodeBuild was used to compile and test source code, embedding cryptomining commands within the build specification. This represents the abuse of Continuous Integration/Continuous Delivery (CI/CD) pipelines.
• T1608.001: Stage Capabilities: Upload Malware: The attackers created CloudFormation stacks to automate the deployment of EC2 instances that run cryptomining software. This technique involves the abuse of Infrastructure as Code (IaC) for malicious purposes.
• T1537: Transfer Data to Cloud Account: They utilized EC2 Auto Scaling to dynamically adjust the number of instances running their cryptomining software, ensuring maximum resource usage. This shows the exploitation of Cloud Compute Resources.

‍

In the SCARLETEEL 2.0 attack, the adversaries began by exploiting vulnerable compute services in AWS accounts to gain initial access. BlueRock's Cluster Drift Protection mechanism effectively mitigates this by preventing unauthorized changes to cluster configurations, ensuring that any attempts to exploit public-facing applications are detected and blocked. Once inside, the attackers escalated privileges by exploiting a misconfiguration in an AWS policy, allowing them to gain AdministratorAccess. BlueRock's Cloud IMDS Firewall (AWS) mechanism is crucial here, as it restricts access to the instance metadata service, preventing unauthorized retrieval of sensitive credentials that could be used for privilege escalation. The attackers then created new users and access keys to maintain persistence. BlueRock's Cluster Drift Protection again plays a role by monitoring and alerting on unauthorized account creations, ensuring that any suspicious activity is quickly identified and addressed. Throughout the attack, the adversaries used scripts to steal AWS credentials and exfiltrate them to a command and control server. BlueRock's Cloud IMDS Firewall (AWS) mechanism helps prevent such credential theft by blocking unauthorized access to metadata services, thereby safeguarding sensitive information from being exfiltrated.

• T1190: Exploit Public-Facing Application: The attack begins with the exploitation of vulnerable compute services in AWS accounts, allowing the attackers to gain initial access to the cloud environment. The article mentions 'compromise AWS accounts through exploiting vulnerable compute services.'
• T1068: Exploitation for Privilege Escalation: After gaining access, the attackers escalate their privileges by exploiting a misconfiguration in an AWS policy, allowing them to gain AdministratorAccess. The article states, 'the actor discovered and exploited a customer mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess.'
• T1078: Valid Accounts: The attackers gain persistence by creating new users and access keys, ensuring continued access even if initial access vectors are closed. The article mentions, 'Using the new admin privileges, the adversary created new users and a new set of access keys for all the users in the account, including admins.'
• T1552.001: Unsecured Credentials: Credentials In Files: The attackers use scripts to steal AWS credentials by querying the instance metadata service (IMDSv1 and IMDSv2) and searching the filesystem and Docker containers for credentials. The article describes, 'Those scripts search for AWS credentials in different places: by contacting the instance metadata (both IMDSv1 and IMDSv2), in the filesystem, and in the Docker containers created in the target machine (even if they are not running).'
• T1041: Exfiltration Over C2 Channel: The attackers exfiltrate the stolen AWS credentials by sending them to a command and control (C2) server using various endpoints. The article details, 'the exfiltration function sends the Base64 encoded stolen credentials to the C2 IP Address.'
• T1059.004: Command and Scripting Interpreter: Unix Shell: The attackers use the AWS CLI and Pacu to further exploit the AWS environment and facilitate privilege escalation. The article mentions, 'They installed AWS CLI binary and Pacu on the exploited containers and configured them with the retrieved keys.'
• T1611: Escape to Host: The attackers leverage the tool peirates to further exploit Kubernetes environments. The article states, 'they also leveraged peirates, a tool to further exploit Kubernetes.'
• T1586.001: Compromise Accounts: Social Media Accounts: The attackers use the compromised AWS environment to run cryptominers, creating multiple EC2 instances to mine cryptocurrency. The article mentions, 'With the admin access, the attacker created 42 instances of c5.metal/r5a.4xlarge in the compromised account.'
• T1498: Network Denial of Service: The attackers utilize a botnet malware (Pandora) to perform DDoS attacks, indicating their involvement in DDoS-as-a-Service campaigns. The article notes, 'they also downloaded and executed Pandora, a malware belonging to the Mirai Botnet.'
• T1071.001: Application Layer Protocol: Web Protocols: The attackers use multiple command and control (C2) domains, including public services, to send and retrieve data, enhancing their defense evasion. The article mentions, 'Changes in C2 domains multiple times, including utilizing public services used to send and retrieve data.'

‍

In the Silentbob's Cloud Attack, the attacker begins by exploiting exposed JupyterLab and Docker APIs to gain initial access. BlueRock's Container Capability Control effectively mitigates this by restricting the capabilities that can be granted to containers, thereby limiting unauthorized command execution. The attacker ensures persistence by setting containers to restart always, which is countered by BlueRock's Container Capability Control, limiting the potential for unauthorized command execution and maintaining system integrity.

• T1190: Exploit Public-Facing Application: The attack begins with the attacker exploiting exposed JupyterLab and Docker APIs. This initial access is facilitated by scanning for these exposed services, which is indicative of the technique 'Exploit Public-Facing Application' (T1190). The article states, 'This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs.'
• T1046: Network Service Discovery: Once access is gained, the attacker uses the ZGrab application for banner grabbing to identify further vulnerable instances. This falls under 'Network Service Scanning' (T1046). The article details, 'ZGrab is an application layer scanner, developed with Go language, that enables the attacker to perform banner grabbing.'
• T1046: Network Service Discovery: The attacker uses masscan to scan IP ranges for exposed services, which is a continuation of 'Network Service Scanning' (T1046). The article mentions, 'Subsequently, the masscan tool scans and pipes the IP to be utilized by ZGrab for assessing whether there is an exposed Jupyter Lab instance.'
• T1041: Exfiltration Over C2 Channel: The gathered information is sent back to the attacker's Command and Control (C2) server, indicative of 'Exfiltration Over C2 Channel' (T1041). The article notes, 'The resulting information is organized and stored in the JupyterLab.txt file, which is then transmitted to the attacker’s C2 server.'
• T1105: Ingress Tool Transfer: The attacker's infrastructure is concealed using NGROK, aligning with 'Ingress Tool Transfer' (T1105) for transferring tools and 'Proxy' (T1090) for hiding communication. The article states, 'Through the use of NGROK, the attacker is able to conceal the infrastructure, thereby minimizing the risk of it being shut down.'
• T1059.004: Command and Scripting Interpreter: Unix Shell: The attack progresses with the execution of a script to scan for misconfigured Docker daemons and deploy a privileged container, demonstrating 'Command and Scripting Interpreter: Unix Shell' (T1059.004). The article describes, 'One layer incorporates the ELF system... Another layer houses ZGrab, while yet another contains the run.sh shell script, which is programmed to initiate as soon as the container starts.'
• T1496: Resource Hijacking: The attacker uses Docker to deploy a container with a cryptominer and Tsunami malware, indicative of 'Resource Hijacking' (T1496) and 'Deploy Container' (T1610). The article notes, 'It releases a cryptominer and includes the Tsunami malware, which acts as a backdoor.'
• T1090.002: Proxy: External Proxy: The attacker utilizes the TOR service to obscure network communication, indicative of 'Proxy: External Proxy' (T1090.002). The article mentions, 'Following this, the attacker launches the TOR service to obscure network communication.'
• T1568.002: Dynamic Resolution: Domain Generation Algorithms: The attacker uses anondns.net to mask their C2 server, aligning with 'Domain Generation Algorithms' (T1568.002). The article states, 'The attacker employs anondns.net to mask his C2 server.'
• T1552.001: Unsecured Credentials: Credentials In Files: The attacker scans for AWS keys and secrets, which aligns with 'Cloud Credential Dumping' (T1552.001). The article speculates, 'We strongly suspect that this script is designed to systematically scan the environment for AWS keys and secrets, thereby enabling the attacker to steal them.'
• T1609: Container Administration Command: The attacker sets the container to restart always, ensuring persistence, which aligns with 'Container Administration Command' (T1609). The article summarizes, 'The container is running with the flag --restart=always, which creates a persistence in case the container fails it will try to restart.'

‍

The "Dirty Pipe" vulnerability (CVE-2022-0847) allows attackers to overwrite files within container images from inside a container, posing a significant threat to containerized environments. The attack begins with the adversary gaining access to a container, potentially through valid cloud accounts. Once inside, the attacker exploits the Dirty Pipe vulnerability to escalate privileges and modify files that should be read-only, such as configuration files shared across multiple containers. This is where BlueRock's Read-Only File Protection mechanism comes into play. By enforcing strict read-only policies on critical files and directories, BlueRock effectively prevents unauthorized modifications, ensuring that even if an attacker gains access to a container, they cannot alter the underlying image files. This protection is crucial in maintaining the integrity of containerized applications and preventing the spread of malicious changes across multiple containers.

• T1078.004: Valid Accounts: Cloud Accounts: The article describes how attackers can use the Dirty Pipe vulnerability (CVE-2022-0847) to overwrite files in container images from within a container. This implies that attackers can gain control of a container to execute this exploit. The first step in this attack scenario is the adversary gaining initial access to the container.
• T1068: Exploitation for Privilege Escalation: Once the attacker has access to the container, they utilize the Dirty Pipe vulnerability to modify files that should be read-only. This action is directly manipulating and altering the system's files to achieve their goal, which falls under the category of exploiting a privilege escalation vulnerability.
• T1105: Ingress Tool Transfer: The article mentions that the attacker can modify files from the underlying image, affecting all containers using that shared image. This action of modifying files in a way that affects multiple containers aligns with the technique of Ingress Tool Transfer, where the attacker transfers tools or files into the container to facilitate the attack.
• T1592.003: Gather Victim Host Information: Firmware: The attack's ability to modify configuration files such as nginx.conf to affect multiple running containers demonstrates the attacker’s ability to modify system configurations to maintain persistence or further their goals. This aligns with the concept of modifying system configurations.
• T1070.006: Indicator Removal: Timestomp: Finally, the article advises patching the Linux kernel to mitigate the vulnerability. This suggests that the persistence of the vulnerability can be mitigated by updating the system, highlighting the importance of applying security patches.

‍