Overview
As part of our continued commitment to improving public cloud security for everyone, Unit 42 Cloud Researchers study cloud technology in aim of identifying new risks and threats in the cloud. Over the past year, Unit 42 discovered multiple vulnerabilities in public cloud infrastructure, caught previously unknown threat actors, and identified unsecure misconfigurations. We collaborated with multiple cloud vendors to mitigate these risks and keep cloud users safe.
This August, our researchers are coming to Vegas to present and discuss our latest findings in security conferences.
Join us in the following sessions:
Kubernetes Privilege Escalation: Container Escape == Cluster Admin? | Yuval Avrahami and Shaul Ben Hai @ Black Hat USA 2022, Thursday, August 11, 11:20 AM PDT |
The Journey From an Isolated Container to Cluster Admin in Service Fabric | Aviv Sasson @ DEF CON 30, Sunday, August 14, 1:00 PM PDT |
Cloud Threat Actors: No Longer Cryptojacking for Fun and Profit | Nathaniel Quist @ DEF CON 30 Skytalks, Friday, August 12, 3:00 PM PDT |
Who Contains the “Serverless” Containers? | Daniel Prizmant @ DEF CON 30 Cloud Village, Saturday, August 13, 10:40 AM PDT |
Deescalate the Overly-permissive IAM | Jay Chen @ DEF CON 30 Cloud Village Sunday, August 14, 12:10 PM PDT |
A Ransomware Actor Looks at the Clouds: Attacking in a Cloud-Native Way | Jay Chen @ DEF CON 30 Cloud Village Friday (Lightning Talks), August 12, 12:10 PM PDT |
Read on to get more information about what to expect during each of these talks
Microsoft Collaboration to Mitigate FabricScape
In January of this year, Cloud Researcher Aviv Sasson discovered an important vulnerability in Service Fabric, an infrastructure for application hosting on containers and virtual machines, commonly used in Azure services. The vulnerability would enable attackers in Linux containers to escalate their privileges and gain root privileges on the host node, and potentially compromise all of the nodes in the cluster. The past months, we had worked closely with the Microsoft Security Response Center (MSRC) and Microsoft teams to remediate this issue. In June, a joint disclosure was published, FabricScape (CVE-2022-30137), on the Palo Alto Networks blog and Microsoft Security Response Center.
Aviv will present the full details of his findings, their impact, and mitigations in his DEF CON 30 session on August 14, 1:00 PM PDT.
Kubernetes: Trampoline Pods
Earlier this year, Unit 42 Cloud Researchers Yuval Avrahami and Shaul Ben Hai published “Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms”, a white paper that demystifies Kubernetes privilege escalation and examines exploitability of different attack techniques across popular Kubernetes platforms. Kubernetes usage has grown significantly in recent years. This growth in popularity had attracted threat actors to target Kubernetes. For example, Unit 42 tracked campaigns targeting Kubernetes environments. In their research, Yuval and Shaul explore whether a single container breakout allows an attacker to take over an entire Kubernetes cluster. The answer to this question differs between Kubernetes platforms and managed services, as well as specific configurations and add-ons. In pursuit of an answer, Yuval and Shaul explore old and new Kubernetes privilege escalation techniques. One outcome of their research is an open-source tool they released under the name rbac-police, which identifies risky RBAC permissions of serviceAccounts, pods and nodes in a Kubernetes cluster.
Yuval and Shaul will present their findings at Black Hat USA 2022 on August 11, 11:20 AM PDT.
IAM Security and Cloud Threat Actors
In the latest Cloud Threat Report, dubbed “IAM: The first line of defense”, Unit 42 Cloud Researchers share the results of analyzing 680,000 identities in 18,000 cloud accounts from over 200 organizations. Our findings suggested that the majority of cloud identities used by organizations are overly permissive. For example, permissions that were granted to many identities remained unused for over 60 days, posing a security risk.
Cloud Researcher Jay Chen shall discuss these findings in Public Cloud IAM security in his session at DEF CON 30 Cloud Village. Jay will also present a lightning talk on ransomware actors in this village using cloud-native techniques.
In addition to researching the status of IAM security, in the Cloud Threat Report we published the first Cloud Threat Actor Index, listing threat actors that are specifically targeting cloud environments. We detailed the techniques and targets of the five top threat actors we identified attacking the cloud.
Nathaniel Quist will share more about the process of discovering these threat actors and their evolving cloud operations from cryptojacking to the direct targeting of IAM credentials in his DEF CON 30 SkyTalks session.
Serverless Security
For the past few months, Daniel Prizmant has been researching security of Serverless technologies in-depth. That is: understanding how they are built, secured, and what are its possible attack surfaces. In his DEF CON 30 Cloud Village talk, Daniel plans to discuss new findings on how he managed to bypass the first line of defense in Azure Serverless, and what security measures might prevent malicious actors from escalating an attack.
See You Soon
The defined mission of the Prisma Cloud research team is to make the cloud safe. This entails continuously attempting to find threat actors targeting the cloud, understanding the attack surfaces of cloud technologies and discovering new vulnerabilities in cloud infrastructure. We look forward to sharing our recent findings with the community and learning from the excellent sessions in the upcoming Black Hat and DEF CON events.