BSides Tallinn 2024

BSides Tallinn 2024

Santi Abastante

Ex-Police Officer from Argentina, Cloud Incident Responder and Security Engineer with 10+ years of IT experience.


Session

09-19
14:15
45min
Tales From a Cloud CSIRT- Let’s deep dive into a Kubernetes (k8s) Infection
Santi Abastante

Kubernetes (k8s) is an orchestration system for automating software deployment, scaling and management, and if you don’t know… this is really hot right now.

When implemented in a cloud environment, it allows a service to grow almost limitless, because the k8s Cluster can create and destroy servers at will, based on the load of the containers running. Imagine what can go wrong when attackers get to own this power for themselves… you are right, lightspeed growth equals a lot of destruction power.

In this talk, we are going to analyze a real example of an AWS Kubernetes cluster infection through a software development supply chain compromise. The attackers were able to get AWS credentials from a DevOps workstation and use them to introduce a poisoned docker image into a kubernetes cluster. It allowed them to move laterally within the cluster and to the cloud provider, retrieving secrets, passwords, tokens, and a bunch of other data.

Luckily, we were able to detect them just in time, as they had retrieved secrets that would have allowed them to move laterally to other companies or execute a new docker image with nastier results.

We are going to present the examples using a real-time lab, offering examples for incident responders and malware analysts to understand how to investigate these techniques, getting through the cyber kill chain and explaining what went wrong and what could have been done better.

Stage 2
Stage 2