Search This Blog

Showing posts with label Cloud Misconfiguration. Show all posts

Misconfiguration Identified in Google Cloud Platform

 

A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

50% of Misconfigured Containers Hit by Botnets in an Hour

 

Aqua Security announced on Monday that information gathered from container honeypots over a six-month period indicated that 50% of misconfigured Docker APIs are attacked within 56 minutes of being set up. 

According to the study, it takes the opponents' bots an average of five hours to scan a new honeypot. The quickest scan took only a few minutes, while the longest scan took 24 hours. This revelation, according to Assaf Morag, a principal data analyst with Aqua's Team Nautilus, emphasizes the need of discovering and resolving cloud misconfigurations quickly or preventing them from occurring before app deployment. 

Security professionals, according to Morag, must be aware that even the smallest misconfiguration could expose their containers and Kubernetes clusters to a cyberattack. 

“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” stated Morag. 

“Although cryptocurrency mining is still the lowest hanging fruit and thus more targeted, we have seen more attacks that involve the delivery of malware, establishing of backdoors, and data and credentials theft. Focusing on misconfigurations is important, but companies also need a more holistic approach that includes a focus on supply chain attacks.” 

The findings of this paper were incorporated into the MITRE ATT&CK Container Framework's development. Container security has been on MITRE's radar for a while, but it wasn't until later that the business started noticing enough reported activity to start analyzing the area and add it to ATT&CK, according to Adam Pennington, MITRE ATT&CK director. 

“We’ve gone from occasional anecdotes about security incidents to a number of organizations regularly detecting and talking about intrusions,” Pennington said. 

Cloud misconfigurations have become a serious risk for container users, according to Michael Cade, senior global technologist for Kasten by Veeam. 

“Misconfigurations are one of the ways that containers are uniquely exposed, basically as a default to ease development burdens. They are a likely point of ingress for container attacks, so it’s extremely important to have an effective remediation plan in place,” Cade stated.