Happy new year! Gubble is out now!. Gubble is a tool that queries the Workspace API to analyze Group permissions to identify potential security risks, allowing both offensive and defensive teams to programmatically identify risky permissions. PoCs: 🧵.

RT @GrahamHelton3: Golden Ticket Attack In Kubernetes? 🤔. A new post exploitation & persistence tool for Kubernetes just came out called Ku….

What do you want to know?.

RT @GrahamHelton3: You can also do this without being in the pod itself.

The openssl binary is present in many containers images such as:.- go.- haproxy.- kong.- nginx.- php.- rabbitmq.etc. Combined with a simple shell script, we can use openssl to scan for hosts using this crazy oneliner you can find at this github gist: .

Scan an IP range using openSSL 🧐. When working in containers, you're operating in a very minimal environment. Often you do not have the traditional tools you need, network discovery tools being one of them.

An example: RBAC is well understood to be a core pillar of kubernetes security, but it's not always implemented in a way that would stop an attacker. Kubernetes security can be hard, but ignoring it will present challenges that can threaten your business.

We can't begin to talk about the more advanced challenges like implementing least privilege, multi tenancy, or implementing defense in depth when we're still attempting to implement the basics.

Over the last couple years I've noticed a disturbing trend: . There are not enough offensive security professionals translating well known Kubernetes security principles to the business by demonstrating their impact of not adhering to these security principals.

The core of Low Orbit Security are these three words: Show Not Tell. This is what drives my recent focus on Kubernetes security.

RT @GrahamHelton3: 🚨 Reminder! I'll be opening at the @RedTeamVillage_ conference tomorrow (February 8th) at 10AM EST with ~2 hours of li….

6. If you want to read more about what happened after the attack, you can read the full report here. A turf war for control over the Kubernetes cluster ensued with multiple threat actors fighting for control of the cluster. It's a fun read!.

5. With these permissions, any number of nefarious shenanigans could have been pulled. Once the DaemonSet was deployed, it started the cryptomining software. A lackluster attack for such a powerful position inside a cluster, but a common one.

4. In this case, according to the crowdstrike report, the attacker had permissions to deploy a DaemonSet. This is a powerful permission that allows admins (or attackers) to run a copy of a pod on nodes in the cluster. This is what the actual DaemonSet manifest looked like:

3. This means you're removing the authentication step (pictured below), typically relying on authorization and admission control to deny requests. RBAC is tricky to get right every time and fine tuned admission control requires lots of time/effort to get perfect.

2. If a request is not authenticated (IE: it does not present a certificate signed by the kubernetes API server or similar), it will by default be assigned the system:anonymous/system:unauthenticated user/group.

1. The Kubernetes cluster had --anonymous-auth=true (or rather, the cluster didn't have --anonymous-auth=false) in their apiserver manifest. This is default in clusters setup in kubeadm, but what does this mean? Notice how there is no flag setting anonymous auth to false.

Breaking down a real threat actor's TTPs for attacking a Kubernetes cluster 🧵. In march of 2023, Crowdstrike published a report which detailed how an attacker targeted a vulnerable Kubernetes cluster to mine Deno. Here is a break down of how it happened.

If you enjoy these weekly posts, consider subscribing so you get the emails straight to your Inbox and don't have to hope you catch them on your timeline. You can do so here:.

Offensive security shouldn't really exist. However, it does (and is impactful) because company's are run by humans who unknowingly operate under the "Show Not Tell" mentality. You can read more of my thoughts on this topic here:.

Very interesting data from @wiz_io , excited for the full report. TLDR; Attackers are scanning for exposed Kubernetes clusters and Pods are being deployed in a more secure manner. Of note: 21% of Pods having Critical vulnerabilities is terrifying.

RT @RedTeamVillage_: 📢 Save the Date!. RTV Overflow: A full-day virtual event packed with your favorite workshops! 🚀.📅 Date: Feb 8, 2025.⏰….