First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
Background:
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Takeaway:
Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
Background:
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and send incoming communication to the C2 server encrypted with AES-256 in Galois Counter Mode. This attack has a medium confidence connection to financially-motivated AppleJeus activity by Lazarus Group, while also displaying some weak infrastructure connection to APT43, both being North Korea-sponsored groups.
Takeaway:
It is important to regularly review software dependencies for issues such as discontinued projects (X_TRADER platform was reportedly discontinued in 2020). Open source repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. This attack was not contained to 3CX users as Symantec researchers identified two critical-infrastructure, energy organizations in the U.S. and in Europe also affected by the X_Trader software supply chain attack.
Learn about our Penetration Testing Services
Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic
Background:
Infoblox researchers identified several C2 domains using the same rare toolkit dubbed Decoy Dog. The earliest activity goes back to early April 2022. The toolkit is centered around a complex, publicly-available, multi-platform RAT called Pupy, that was previously observed in use by advanced actors such as Earth Berberoka. Decoy Dog exclusively targets enterprise network Linux appliances. It exhibits a unique DNS signature independent of Pupy. For C2 communication it uses encrypted DNS packets sent to dynamically-created subdomains. Decoy Dog C2 domains exhibit a pattern of periodic, but infrequent, DNS requests. These domains show resolution IP addresses in an unusually high number of ASNs and include some unresolvable IP addresses.
Takeaway:
Decoy Dog is trying to avoid detection using domain aging and infrequent, encrypted, low-level C2 traffic. At the same time this toolkit is uniquely identifiable when examining its domains on a DNS level including a unique DNS signature, resolution and activity patterns.
EvilExtractor: All-in-One Stealer
Background:
Commodity infostealer EvilExtractor was first released on underground markets in October 2022. Its malicious activity increased significantly in March 2023 mostly targeting America and Europe. EvilExtractor is typically delivered in an obfuscated form as a phishing attachment. It downloads additional archived modules for information stealing and ransom operations. Its Kodex Ransomware is a 7-zip standalone console that encrypts files by archiving them with a password. EvilExtractor uploads stolen data to the attacker’s FTP server that is provided by the malware developer.
Takeaway:
The best defense against EvilExtractor is anti-phishing training. Never click on attachments or links from spam emails or untrusted senders. Legitimate account confirmation requests typically do not ask users to open an attachment.
Bumblebee Malware Distributed Via Trojanized Installer Downloads
Background:
A new infection chain delivering the Bumblebee modular loader was detected by Secureworks researchers. It starts with malicious Google Ads pointing to a page on a compromised WordPress site impersonating popular downloads such as ChatGPT, Citrix, Cisco AnyConnect, and Zoom. A target downloads an MSI installer containing a legitimate installer and a malicious PowerShell script that reflectively loads Bumblebee into memory. A follow-up activity on selected networks includes installing of additional tools: Active Directory database dumping batch script, AnyDesk, DameWare, Cobalt Strike, netscanold.exe network scanning utility, and pshashes.txt Kerberoasting attack script.
Takeaway:
Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of abuse, take extra caution with search results, especially promoted ones. Organizations are advised to consider restricting the download and execution of third-party software.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
