Executive Summary
As part of our continued commitment to improving public cloud security for everyone, Unit 42 Cloud Researchers study cloud technology in aim of identifying new risks and threats in the cloud. Over the past year, Unit 42 discovered multiple vulnerabilities in public cloud infrastructure, caught previously unknown threat actors, and identified unsecure misconfigurations. We collaborated with multiple cloud vendors to mitigate these risks and keep cloud users safe.
One of our major efforts in the Prisma Cloud Security Research team is improving cloud security for everyone. On an ongoing basis, we discover new threats targeting cloud environments as well as identifying zero-day vulnerabilities in cloud infrastructure. We strictly follow responsible disclosure processes and publish our findings under the Unit 42 research blog.
This August, our researchers will unveil their newest findings in three different talks in the DEF CON 29 Cloud Village and the Black Hat USA 2021 conference:
Aviv Sasson @ Black Hat USA 2021, Wednesday, August 4, 11:20 AM PDT
Yuval Avrahami @ DEF CON 29 Cloud Village, Friday, August 6, 2:05 PM PDT
Daniel Prizmant @ DEF CON 29 Cloud Village, Saturday, August 7, 10:45 AM PDT
Read on to get more information about what to expect during each of these talks.
Microsoft Collaboration to Mitigate FabricScape
In January of this year, Cloud Researcher Aviv Sasson discovered an important vulnerability in Service Fabric, an infrastructure for application hosting on containers and virtual machines, commonly used in Azure services. The vulnerability would enable attackers in Linux containers to escalate their privileges and gain root privileges on the host node, and potentially compromise all of the nodes in the cluster. The past months, we had worked closely with the Microsoft Security Response Center (MSRC) and Microsoft teams to remediate this issue. In June, a joint disclosure was published, FabricScape (CVE-2022-30137), on the Palo Alto Networks blog and Microsoft Security Response Center.
Aviv will present the full details of his findings, their impact, and mitigations in his DEF CON 30 session on August 14, 1:00 PM PDT.
Findings on Cloud Infrastructure Security
Since 2020 and throughout this year, we have discovered significant vulnerabilities in cloud infrastructure, including security issues that directly impact the public cloud. For every finding we make, we follow responsible disclosure guidelines. While some of our research is still under embargo, we have been able to publish the issues that we reported and have been successfully resolved.
At Black Hat USA 2020, Security Researcher Yuval Avrahami disclosed the findings of his security audit of Kata Containers, a container runtime that uses lightweight VMs to isolate workloads. Kata Containers can be used as the underlying runtime of container orchestration tools, such as Docker and Kubernetes, in aim of improving workload isolation and benefiting from the security advantages of VMs. Some cloud providers rely on Kata's security to separate workloads in multi-tenant environments.
In his presentation, Yuval revealed a complete breakout of a Kata Container that would have allowed attackers to execute malicious code outside the VM on host machines running Kata. Prior to BlackHat, Yuval responsibly disclosed his findings to Kata maintainers, which were fixed and assigned 4 CVEs. The full presentation slides can be found here.
At the upcoming DEF CON 29 Cloud Village, Yuval will reveal WhoC, a new research tool dedicated to researching CaaS (Containers-as-a-Service) platforms. The new tool runs as a container image that extracts the container runtime binary from its underlying host, enabling security researchers and engineers to better understand how their containers run on these platforms. WhoC provides visibility into CaaS offerings, making it easier to trust the security of environments that were notoriously hard to look into. We invite you to join Yuval to hear more about this on Friday, August 6th.
Earlier this year, Security Researcher Daniel Prizmant released his research on Siloscape, a new malware specifically targeting Windows Containers to compromise cloud instances. Prior to finding Siloscape, Daniel conducted a long reverse-engineering research of the internals of Windows Containers. In his publication last year, he revealed a complete breakout of Windows Containers.
At DEF CON 29 Cloud Village, Daniel will discuss the internals of Windows Containers, and why the threat of a container breakout is still a major threat when using cloud workloads based on Windows. In his presentation, Daniel will also elaborate on how Siloscape operates, and what security measures can be taken to protect against it.
Container Honeypots Research
Since the beginning of 2020, Security Researcher Aviv Sasson has been closely monitoring attackers in the wild with our wide network of container honeypots. These honeypots are network entities that behave like real container instances and lure threat actors to use and expose their exploits and malware to us. Throughout this year, Aviv and Unit 42 researchers discovered a variety of malware samples operated by different threat groups, including Cetus and Pro-Ocean.
Aviv recently completed his research on a sample of 50 days of honeypot operation, and found that open container instances are attacked approximately every 90 minutes. In his Black Hat USA 2021 session, Aviv will present the summary of his findings and discuss the malware and groups we identified as well as their goals.
The Research Continues
Our goal to contribute to the cloud community and improve cloud security doesn’t end here. We are continuously conducting research to discover new vulnerabilities in cloud infrastructures and catch threat actors targeting the cloud, all while our researchers work closely with the Prisma Cloud product and development teams to build and enhance Prisma Cloud. We hope you’ll join us at the sessions described in this post, and invite you to learn more about how Prisma Cloud keeps organizations secure.