This week's news: CircleCI breach, Kinsing Kubernetes attacks, and more

Eric Gregory & John Jainschigg - January 13, 2023
image

Every other week, the Radio Cloud Native podcast explores the latest news on Kubernetes, the cloud native ecosystem, open source, and more.

This week, we discussed:

  • CircleCI recommends that users rotate secrets after apparent breach

  • Kinsing Kubernetes attacks

  • Recursive container security

  • And more on the podcast

You can listen to this week's podcast or subscribe on Apple PodcastsSpotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of the next broadcast.

CircleCI recommends that users rotate secrets after apparent breach

Eric: CircleCI issued a security alert disclosing that they were investigating a security incident and that, out of an abundance of caution, users should “immediately rotate any and all secrets stored in CircleCI,” as well as review internal logs for anything fishy.

In the following days, they went on to automatically rotate all customers’ GitHub OAuth tokens, while Bitbucket Oauth was expired and GitLab users were recommended to rotate everything manually. 

The original incident report stated, “At this point, we are confident that there are no unauthorized actors active in our systems.” It goes on to suggest that customers review internal logs from December 21 through January 4. If you’re a CircleCI user and you just got back from vacation, you should probably run and rotate all the things and then head over to the CircleCI blog to read more.

Kinsing Kubernetes attacks

Eric: The security woes don’t end there, unfortunately. Microsoft security researchers reported new attack patterns from the Kinsing crypto-mining malware, which they’ve observed targeting Kubernetes clusters and container environments. The malware has historically been used to attack Linux environments. 

Some common vulnerable images include PHPUnit, Liferay, WebLogic, and WordPress. Particularly frequently, these attacks are targeting misconfigured PostgreSQL containers. If Postgres uses the “trust authentication” setting, anyone who can connect to the database server can log in freely. You can use trust authentication with a limited range of acceptable IPs, but a lot of instances don’t. So that can enable an attacker to get into the database, and from there they can potentially execute code or make other use of the contents and escalate their access within the cluster. 

If you want to check your work on Postgres security, head over to the project’s security page

For other vulnerable images, the report makes the following recommendations:

The first thing to note when deploying an image to the container is that it is an image from a known registry and it is patched with the latest version.

Also, scan all images for vulnerabilities to identify which ones are vulnerable and what the vulnerabilities are, especially the ones that are used in exposed containers.

It is also possible to mitigate the risk by minimizing access to the container, assigning access to specific IPs and applying the least privileges rule to the user.

If you want to read the full security report, you can find it here.

Recursive container security

John: With all the news about supply chain vulnerabilities, we’re seeing more stories that give us the opportunity to make superficial jokes about (Docker) containers and (shipping) containers. On Christmas Day, the port of Lisbon was hit by a ransomware attack by the LockBit cartel, involving bulk data exfiltration of financial reports, audits, budgets, contracts, ships’ logs, and other valuable information – potentially usable for anything from market manipulation to targeting terrorist attacks.

Now, the Norwegian SaaS and application software provider DNV has apparently been hit by a new attack that’s made them take their online service offline since 7 January. The on-ship components of their ShipManager marine fleet management and ship management system are still working. The software and associated services are used by about 300 customers on about 7000 vessels, and its various modules help with planned maintenance, safety management systems, crew management, repair, hull integrity management, shipping procurement, and provide data analytics enabling ship owners to run lean while remaining safe and compliant with the numerous regulatory regimes under which they operate.

Check out the podcast for more of this week's stories.