Aqua Blog

Security Threats

Detecting Drovorub's File Operations Hooking with Tracee

Detecting Drovorub's File Operations Hooking with Tracee

This blog was co-authored by Itamar MaoudaTwo years ago, the NSA (the United States' National Security Agency) revealed that Drovorub, an advanced Russian malware created by the GRU 85th GTsSS team, had been discovered targeting Linux systems. Drovorub works by introducing advanced techniques which can manipulate the …

Continue reading ›
Threat Alert: Cloud Network Bandwidth Now Stolen through Cryptojacking

Threat Alert: Cloud Network Bandwidth Now Stolen through Cryptojacking

This blog was co-authored by Asaf Eitani   

Threat actors are looking to increase their financial gain and thus deploy cryptominers which are considered easy to use and lucrative. Cryptomining involves complex calculations leading to high computation power and consequently increased CPU consumption and electricity (or …

Continue reading ›
Detecting and Capturing Kernel Modules with Tracee and eBPF

Detecting and Capturing Kernel Modules with Tracee and eBPF

Security practitioners often need to investigate malicious artifacts in their environments, which can be challenging if those are deleted or loaded from memory. This is increasingly the case as threat actors are weaponizing Linux kernel modules to perform and hide their attacks. In this blog, we look into kernel …

Continue reading ›
Node.js-DLL-hijacking-vulnerability

CVE-2022-32223 Discovery: DLL Hijacking via npm CLI

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability to escalate their privileges and establish persistence in a target …

Continue reading ›
8220 Gang Deploys a New Campaign with Upgraded Techniques

8220 Gang Deploys a New Campaign with Upgraded Techniques

A recent campaign by the 8220 gang, who have been known to exploit the newly discovered critical Confluence vulnerability (CVE-2022-26134), targeted one of our honeypots. This campaign has evolved over time to deliberately target containers. In this game of cat and mouse, the threat actors used some new techniques, …

Continue reading ›
GitHub Bug Allowed Third-party Apps to Gain Elevated Permissions

GitHub Bug Allowed Third-Party Apps to Gain Elevated Permissions

We learned about a bug in GitHub that for about five days at the end of February allowed third-party applications connected to GitHub to generate new scoped installation tokens with elevated permissions. For example, if you connected the Codecov app to your GitHub account with read-only access to your repositories, …

Continue reading ›
Public Travis CI Logs (Still) Expose Users to Cyber Attacks

Public Travis CI Logs (Still) Expose Users to Cyber Attacks

In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials …

Continue reading ›
Detecting and Analyzing an Apache Struts Exploit with Tracee

Detecting and Analyzing an Apache Struts Exploit with Tracee

When running third-party applications in your cloud environments, you inherently put your workloads at greater risk. This is especially the case when the third-party software exposes some API function to the public web. Apache Struts 2 is a popular open source cross-platform web application framework, used by many …

Continue reading ›
Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?

Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?

Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent. Since you …

Continue reading ›
2022 Cloud Native Threat Report: Key Trends in Cyber Attacks

2022 Cloud Native Threat Report: Key Trends in Cyber Attacks

As companies continue to adopt cloud native technologies at a rapid pace, an increasing number of cyber threats are targeting the cloud native environment. To defend against these threats, security practitioners must stay abreast of attackers’ evolving tactics, techniques, and procedures. For its 2022 Cloud Native …

Continue reading ›
Real-world Cyber Attacks Targeting Data Science Tools

Real-world Cyber Attacks Targeting Data Science Tools

With the accelerated move to the cloud, organizations increasingly rely on large data teams to make data-driven business decisions. In their job, data professionals are given high privileges and access to development and production environments. But what are the security threats that target data tools? And, more …

Continue reading ›

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...