AccuKnox is a core contributor to the Kubernetes Runtime Security platform, and AccuKnox’s CNCF project, KubeArmor, has received 200,000+ downloads. The problem that KubeArmor solves is that it can prevent cloud workloads from executing malicious activity at runtime. Malicious classic figure killed off in a super bowl ad activity can be any activity that the workload was not designed for or is not supposed to do. From the generated logs, we could infer that the Botinger is creating files under /dev/shm/ spawning new tshd and bioset processes and listening to TCP ports and 1982.
TeamTNT exploited a WordPress pod deployed on a Kubernetes cluster via its misconfigured dashboard, which was then brute-forced and allowed remote command executions. After access is gained to the vulnerable container, the malware uses the wget command to download the malicious bash script aws2.sh. Researchers at Cado Security have outlined multiple recent changes in its post-invasion behaviour. The botnet script can now steal credentials from AWS IAM roles, from both files and the AWS metadata URL, which exposes privileged information. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. If your instance’s Resource Role is ACTOR, this indicates the instance has been used to perform SSH brute force attacks.
This finding informs you that the listed EC2 instance in your AWS environment is communicating with a remote host on port 25. This behavior is unusual because this EC2 instance has no prior history of communications on port 25. Port 25 is traditionally used by mail servers for SMTP communications. This finding indicates your EC2 instance might be compromised for use in sending out spam. The attackers must first be able to accomplish remote code execution on the original target system in order for this attack to be successful.
This finding informs you that an EC2 instance in your AWS environment is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. This finding informs you the listed EC2 instance in your AWS environment might be compromised because it is querying a domain name that is being redirected to a black hole IP address. Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn’t reach its intended recipient.
To know the working of the malware we will skip the initial RCE step and execute it directly inside the container. And once we are inside let’s use the top command to see the normal working of our application. Once the cluster is ready we will deploy a WordPress application into it. For this, we have created a complete YAML for WordPress installation on Kubernetes. You can use this predefined deployment file to quickly deploy WordPress to your Kubernetes environment. Late last week, CloudSEK researchers posted details of a 12-strong group called “TeamTNT”, who claim they have targeted Docker, Redis server, AWS, Weavescope and Kubernetes-hosted systems.