Jan 17, 2024The Hacker NewsCyber Threat / Live Webinar

In the digital age, the battleground for security professionals is not only evolving, it’s expanding at an alarming rate. The upcoming webinar, “The Art of Privilege Escalation – How Hackers Become Admins,” offers an unmissable opportunity for IT security experts to stay ahead in this relentless cyber war.

Privilege escalation – the term might sound benign, but in the hands of a skilled hacker, it’s a devastating tactic. It’s a method where cyber attackers, starting as standard users, clandestinely climb the ladder of access, eventually gaining root-level control.

This isn’t just a breach; it’s a systematic takeover of your entire network. Picture a scenario where cybercriminals roam freely through your network, turning your layers of defense into mere spectators. It’s a chilling thought, but it’s a reality faced by organizations across the globe.

What if you could anticipate and counter these threats? Expertly delivered by Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO at Delinea, this webinar aims to turn the tables on cyber attackers.

• Unlock the Enemy’s Playbook: Delve into the mind of a cyber attacker. Learn how they escalate privileges from regular user accounts to dominant administrative controls. Understanding their tactics is the first step in crafting an effective defense strategy.
• Tool Mastery: It’s not enough to know the threat; you must be equipped to counter it. Our webinar showcases advanced tools specifically designed to detect and thwart privilege escalation attempts. Get hands-on experience and learn from the masters of cybersecurity.
• Craft Robust Strategies: Knowledge and tools are potent, but without a solid strategy, they’re like unguided missiles. Our session focuses on developing robust, layered defense strategies that protect your network against escalated access risks.

It’s not just a webinar; it’s your step towards transforming your approach to digital security. Take advantage of this chance to be at the forefront of cybersecurity defense.

See you there!

Dec 28, 2023NewsroomCloud Security / Data Protection

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges.

“An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster,” the company said as part of an advisory released on December 14, 2023.

Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out “data theft, deploy malicious pods, and disrupt the cluster’s operations.”

There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) –

• 1.25.16-gke.1020000
• 1.26.10-gke.1235000
• 1.27.7-gke.1293000
• 1.28.4-gke.1083000

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw.

“GKE uses Fluent Bit to process logs for workloads running on clusters,” Google elaborated. “Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node.”

This meant that a threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM’s service account token to escalate their privileges by creating a new pod with cluster-admin privileges.

“The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles,” security researcher Shaul Ben Hai said. “The attacker can update the cluster role bound to CRAC to possess all privileges.”

By way of fixes, Google has removed Fluent Bit’s access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

“Cloud vendors automatically create system pods when your cluster is launched,” Ben Hai concluded. “They are built in your Kubernetes infrastructure, the same as add-on pods that have been created when you enable a feature.”

“This is because cloud or application vendors typically create and manage them, and the user has no control over their configuration or permissions. This can also be extremely risky since these pods run with elevated privileges.”