In this video I take a look at a cryptojacking attack against a Kubernetes honeypot.
The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.
The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node.
This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.
I am thrilled to announce the release of PolarProxy version 1.0 today!
Several bugs that affected performance, stability and memory usage have now been resolved in our TLS inspection proxy. PolarProxy has also been updated with better logic for importing external root CA certificates and the HAProxy implementation has been improved. But the most significant addition in the 1.0 release is what we call the “TLS Firewall” mode.
TLS Firewall
PolarProxy now supports rule based logic for determining if a session should be allowed to pass through, get blocked or if the TLS encrypted data should be inspected (i.e. decrypted and re-encrypted) by the proxy.
This rule based logic can be used to turn PolarProxy into a TLS firewall. As an example, the ruleset-block-malicious.json ruleset included in the new PolarProxy release blocks traffic to malicious domains in abuse.ch’s ThreatFox IOC database as well as traffic to web tracker domains listed in the EasyPrivacy filter from EasyList. This ruleset also includes an allow list in order to avoid accidentally blocking access to legitimate websites.
PolarProxy’s ruleset logic isn’t limited to just domain names. It is also possible to match traffic based on JA3 or JA4 hashes as well as application layer protocol information provided in the ALPN extension of a client’s TLS handshake.
I will teach Network Forensics for Incident Response at the IT security conference x33fcon in Gdynia, Poland on June 11-12. In this hands-on class you will get a chance to perform network based threat hunting and deep dive into packet analysis for two days. The first day will be spent using open source tools, such as Wireshark, NetworkMiner, Suricata, Zeek, tcpflow and ngrep. On the second day we’ll also use NetworkMiner Professional and CapLoader. All training participants will get a 6 month license for CapLoader as well as NetworkMiner Professional.
Image: Motława river by Diego Delso, delso.photo (CC-BY-SA)
About x33fcon
x33fcon is held in Gdynia (Gdańsk), which is located on the Baltic coast in northern Poland. The conference’s focus is on collaboration between attackers and defenders. Their goal is to encourage security professionals to consider both perspectives while working more closely together.
Are you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware and hacker tools? Then take a look at our upcoming network forensics classes!
Posted by Erik Hjelmvik on Thursday, 04 January 2024 10:12:00 (UTC/GMT)