Short Summary:

The Sysdig Threat Research Team uncovered a global operation named EMERALDWHALE, which targeted exposed Git configurations, resulting in the theft of over 15,000 cloud service credentials. The attackers exploited misconfigured web services to steal credentials, clone private repositories, and extract sensitive data. The stolen credentials, valuable for phishing and spam campaigns, were stored in an S3 bucket belonging to a previous victim.…

Read More
Short Summary

The Sysdig 2024 Global Threat Year-in-Review report highlights the rapid evolution of cloud attacks, emphasizing the financial and operational impacts on organizations. Key findings include the swift execution of attacks, the rise of automated resource exploitation, and the increasing use of open-source tools for malicious purposes.…

Read More

Short Summary:

AWS has expanded its AWSCompromisedKeyQuarantine policies to include new actions aimed at preventing the misuse of compromised access keys. This proactive measure is designed to restrict certain actions that have been abused by attackers, particularly in light of recent threat reports. The changes, which include the addition of approximately 29 new restricted actions, highlight AWS’s ongoing efforts to enhance security and protect user credentials.…

Read More

Short Summary:

Vulnerabilities in the Common Unix Printing System (CUPS) allow remote attackers to exploit the “cups-browsed” process, potentially executing arbitrary commands on affected systems. Four CVEs have been identified, with three rated High and one Critical, necessitating immediate attention and patching to mitigate risks.

Key Points:

Vulnerabilities in CUPS allow remote command execution.…
Read More
Short Summary: The article discusses the rise of LLMjacking, where attackers exploit compromised credentials to access and misuse large language models (LLMs). It highlights the increasing frequency of attacks, the financial implications for victims, and the evolution of tactics used by attackers. The article also emphasizes the need for organizations to enhance their security measures to prevent unauthorized access to LLMs.…
Read More

The Sysdig Threat Research Team (TRT)  is on a mission to help secure innovation at cloud speeds.

A group of some of the industry’s most elite threat researchers, the Sysdig TRT discovers and educates on the latest cloud-native security threats, vulnerabilities, and attack patterns.

We are fiercely passionate about security and committed to the cause.…

Read More

In March 2024, the Sysdig Threat Research Team (TRT) began observing attacks against one of our Hadoop honeypot services from the domain “rebirthltd[.]com.” Upon investigation, we discovered that the domain pertains to a mature and increasingly popular DDoS-as-a-Service botnet. The service is based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io).…

Read More

This is part two in our series on building honeypots with Falco, vcluster, and other assorted open source tools. For the previous installment, see Building honeypots with vcluster and Falco: Episode I.

When Last We Left our Heroes

In the previous article, we discussed high-interaction honeypots and used vcluster to build an intentionally-vulnerable SSH server inside of its own cluster so it couldn’t hurt anything else in the environment when it got owned.…

Read More

The Sysdig Threat Research Team (TRT) discovered a malicious campaign using the blockchain-based Meson service to reap rewards ahead of the crypto token unlock happening around March 15th. Within minutes, the attacker attempted to create 6,000 Meson Network nodes using a compromised cloud account. The Meson Network is a decentralized content delivery network (CDN) that operates in Web3 by establishing a streamlined bandwidth marketplace through a blockchain protocol.…

Read More

Public cloud infrastructure is, by now, the default approach to both spinning up a new venture from scratch and rapidly scaling your business. From a security perspective, this is a brand new (well, by now more than a decade old) attack surface. “Attack surface” is a commonly used term that denotes the aggregate of your exploitable IT estate, or all of the different pathways a hacker might be able to use to gain access to your systems, steal your data, or otherwise harm your business.…

Read More

On Oct. 11, a new version of curl (8.4.0) was released where a couple of new vulnerabilities were fixed (CVE-2023-38545 with severity HIGH and CVE-2023-38546 with severity LOW). These issues were previously announced in the project’s discussion. At the time of this blog, there have been several proof of concepts released for CVE-2023-38545 which result in crashes, but not exploitation.…

Read More