Workshop: Malicious Kubernetes

Presented at CactusCon 12 (2024), Feb. 16, 2024, 1:30 p.m. (240 minutes).

Containers are here to stay, even the most technically conservative industries are using them. What this means for bad actors is they get access to an excellent delivery mechanism for malware deployment in organizations, offering a wide variety of detection avoidance and persistence mechanisms. Fear not protectors, containers also offer ways to detect these, but can be fraught with challenges. Whether you're red, blue or just container curious this workshop is for you. In this workshop, you will get hands-on with Kubernetes and container workloads, and the latest defensive technologies like eBPF - starting with introductory content - learning how they work, where and how to hide or find things, how to identify indicators of compromise, indicators of attack, and how to apply analysis to gain a deeper understanding of container malware and what is going on inside containers. This workshop will utilize the Google Cloud Platform alongside command line operands and a small amount of open source tooling to learn both offensive and defense techniques on containers. By the end, you’ll have a solid mental model of how Kubernetes works, how it is managed and workloads are deployed, and be equipped with the ability to analyze container images, identify problems, and identify familiar patterns. Ultimately, these skills will allow you to generate valuable insights for your organization’s defense or aid you in your next attack.

Presenters:

• Adrian Wood / threlfall - Dropbox Red Team   as threlfall
  Adrian Wood, aka threlfall, discovered a love for hacking from cracking and modding video games and from the encouragement of online friends. He has worked as a red team consultant for WHITEHACK, a company he founded, and later as a lead engineer for an offensive research team at a US bank, where he was very interested in appsec, container security, CI/CD security and also founded their bug bounty program. He currently works for Dropbox, working on their red team. In his free time, he enjoys playing saxophone, working on vintage cars, and fly-fishing.
• David Mitchell / digish0 - Red Teamer at FinTech   as digish0
  David Mitchell, aka digish0, started his hacking career as a script kiddie running 7th Sphere in mIRC in high school. Later falling in with some Linux/RedHat nerds at a local 2600 group at college while studying CS, etc. He got into Linux, started an IT career, later rediscovering his hacking script kiddie roots when a local hacker space opened up and shared members with a lockpicking group that worked in infosec as penetration testers, etc where he discovered he could get paid to do the things he liked doing in high school/college. He now works professionally as a red team member and cyber security researcher at a large financial institution. The rest of the time he spends being a dad/husband, tricking himself into exercising by doing Muay Thai or mountain biking, and listening to either very expensive or very cheap vinyl.

Links:

• https://cactuscon-12.sessionize.com/session/552350

Similar Presentations:

• Black Hat USA 2019 / A Compendium of Container Escapes
• DEF CON 30 (2022) / Creating and uncovering malicious containers. Workshop
• DEF CON 31 (2023) / Creating and uncovering malicious containers Redux Workshop