Keypoints :
Six vulnerabilities were announced affecting the rsync utility.…Summary :
2024 was marked by significant cyber threats, including the emergence of LLMjacking, automated attacks, and the abuse of open source tools. As we move into 2025, organizations must adapt their cybersecurity strategies to address these evolving risks. #CyberSecurity #LLMjacking #ThreatTrends
Keypoints :
LLMjacking emerged as a significant threat, costing organizations over $100,000 daily.…Summary :
The Sysdig Threat Research Team identified a logging issue with Amazon Bedrock APIs in CloudTrail, where failed API calls were logged as successful, complicating threat detection. AWS has since resolved the issue. #CloudTrail #APILogging #ThreatDetection
Keypoints :
Sysdig TRT discovered that failed Amazon Bedrock API calls were logged as successful in CloudTrail.…Short Summary:
The Sysdig Threat Research Team uncovered a global operation named EMERALDWHALE, which targeted exposed Git configurations, resulting in the theft of over 15,000 cloud service credentials. The attackers exploited misconfigured web services to steal credentials, clone private repositories, and extract sensitive data. The stolen credentials, valuable for phishing and spam campaigns, were stored in an S3 bucket belonging to a previous victim.…
Short Summary:
This article discusses the second episode of the CSI Container series, focusing on Kubernetes CSI and conducting Digital Forensics and Incident Response (DFIR) activities in container environments. It highlights the use of Kubernetes checkpointing and automation with tools like Falco, Falcosidekick, and Argo for effective DFIR analysis.…
Short Summary:
AWS has expanded its AWSCompromisedKeyQuarantine policies to include new actions aimed at preventing the misuse of compromised access keys. This proactive measure is designed to restrict certain actions that have been abused by attackers, particularly in light of recent threat reports. The changes, which include the addition of approximately 29 new restricted actions, highlight AWS’s ongoing efforts to enhance security and protect user credentials.…
Short Summary:
Vulnerabilities in the Common Unix Printing System (CUPS) allow remote attackers to exploit the “cups-browsed” process, potentially executing arbitrary commands on affected systems. Four CVEs have been identified, with three rated High and one Critical, necessitating immediate attention and patching to mitigate risks.
Key Points:
Vulnerabilities in CUPS allow remote command execution.…The Sysdig Threat Research Team (TRT) is on a mission to help secure innovation at cloud speeds.
A group of some of the industry’s most elite threat researchers, the Sysdig TRT discovers and educates on the latest cloud-native security threats, vulnerabilities, and attack patterns.
We are fiercely passionate about security and committed to the cause.…
The Sysdig Threat Research Team (TRT) continued observation of the SSH-Snake threat actor we first identified in February 2024. New discoveries showed that the threat actor behind the initial attack expanded its operations greatly, justifying an identifier to further track and report on the actor and campaigns: CRYSTALRAY.…
In March 2024, the Sysdig Threat Research Team (TRT) began observing attacks against one of our Hadoop honeypot services from the domain “rebirthltd[.]com.” Upon investigation, we discovered that the domain pertains to a mature and increasingly popular DDoS-as-a-Service botnet. The service is based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io).…
The Sysdig Threat Research Team (TRT) recently observed a new attack that leveraged stolen cloud credentials in order to target ten cloud-hosted large language model (LLM) services, known as LLMjacking. The credentials were obtained from a popular target, a system running a vulnerable version of Laravel (CVE-2021-3129).…
The Sysdig Threat Research Team (TRT) is on a mission to help secure innovation at cloud speeds.
A group of some of the industry’s most elite threat researchers, the Sysdig TRT discovers and educates on the latest cloud-native security threats, vulnerabilities, and attack patterns.
We are fiercely passionate about security and committed to the cause.…
This is part two in our series on building honeypots with Falco, vcluster, and other assorted open source tools. For the previous installment, see Building honeypots with vcluster and Falco: Episode I.
When Last We Left our HeroesIn the previous article, we discussed high-interaction honeypots and used vcluster to build an intentionally-vulnerable SSH server inside of its own cluster so it couldn’t hurt anything else in the environment when it got owned.…
The Sysdig Threat Research Team (Sysdig TRT) recently discovered a long-running botnet operated by a Romanian threat actor group, which we are calling RUBYCARP. Evidence suggests that this threat actor has been active for at least 10 years. Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute force attacks.…
The Sysdig Threat Research Team (TRT) discovered a malicious campaign using the blockchain-based Meson service to reap rewards ahead of the crypto token unlock happening around March 15th. Within minutes, the attacker attempted to create 6,000 Meson Network nodes using a compromised cloud account. The Meson Network is a decentralized content delivery network (CDN) that operates in Web3 by establishing a streamlined bandwidth marketplace through a blockchain protocol.…
The Sysdig Threat Research Team (TRT) discovered the malicious use of a new network mapping tool called SSH-Snake that was released on 4 January 2024. SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network.…
This is the first article in a series focusing on syscall evasion as a means to work around detection by security tools and what we can do to combat such efforts. We’ll be starting out the series discussing how this applies to Linux operating systems, but this is a technique that applies to Windows as well, and we’ll touch on some of this later on in the series. …
On January 31st 2024, Snyk announced the discovery of four vulnerabilities in Kubernetes and Docker.
CVE-2024-21626: CVSS – High, 8.6 CVE-2024-23651: CVSS – High, 8.7 CVE-2024-23652: CVSS – Critical, 10 CVE-2024-23653: CVSS – Critical, 9.8For Kubernetes, the vulnerabilities are specific to the runc CRI.…
Public cloud infrastructure is, by now, the default approach to both spinning up a new venture from scratch and rapidly scaling your business. From a security perspective, this is a brand new (well, by now more than a decade old) attack surface. “Attack surface” is a commonly used term that denotes the aggregate of your exploitable IT estate, or all of the different pathways a hacker might be able to use to gain access to your systems, steal your data, or otherwise harm your business.…