Keypoints
- Datadog showcased its Backdoors & Breaches expansion pack at DASH 2026 in the Security Zone.
- The expansion pack can be ordered online or used in a digital format for distributed teams.
- Datadog added four new starter scenarios based on active threat trends in the current landscape.
- One scenario covers a backdoored software supply chain leading to credential store compromise, exfiltration through resource snapshotting, and additional credential creation.
- Another scenario centers on a vibe-coded cloud application exposing secrets, followed by IAM policy abuse, cloud-based exfiltration, and a backdoored role trust policy.
- Additional scenarios include an AI web app vulnerable to prompt injection in Kubernetes and a compromised GitHub Action causing exposed credentials, HTTPS exfiltration, and a malicious service.
- The game now includes open-face play, detection tool screenshots, and consultant cards featuring SecurityHQ.
MITRE Techniques
- [T1195.002] Compromise Software Supply Chain â A third-party library was integrated into the build pipeline and later used for unauthorized activity, indicating supply chain compromise [âYour platform team recently integrated a popular third-party library into your build pipeline⌠long-lived API tokens are being used from unfamiliar environmentsâ]
- [T1528] Steal Application Access Token â Long-lived API tokens were abused from unfamiliar environments after deployment [âlong-lived API tokens are being used from unfamiliar environmentsâ]
- [T1110] Brute Force â Not mentioned.
- [T1003] OS Credential Dumping â Credential store compromise was used as a pivot for escalation and further access [âPivot and escalate: Credential store compromiseâ]
- [T1530] Data from Cloud Storage â Resources were snapshotted and used for exfiltration [âC2 and exfil: Snapshotting resources as exfilâ]
- [T1098] Account Manipulation â Additional credential creation was used to maintain persistence [âPersistence: Additional credential creationâ]
- [T1078.004] Cloud Accounts â Embedded secrets exposed cloud credentials, enabling unauthorized access from external sources [âexposing cloud credentials due to embedded secrets in client-side codeâ]
- [T1098.003] Additional Cloud Credentials â Privilege persistence was achieved by altering IAM-related trust and role policies [âPersistence: Backdoored role trust policyâ]
- [T1484.001] Domain or Tenant Policy Modification â IAM policy abuse was used to escalate privileges in the cloud environment [âPivot and escalate: Identity and access management (IAM) policy abuseâ]
- [T1021.006] Cloud Service Dashboard â Data access and movement blended into normal cloud activity, indicating use of cloud services for exfiltration [âC2 and exfil: Living off the cloud as exfilâ]
- [T1190] Exploit Public-Facing Application â A new AI web application vulnerable to prompt injection was compromised [âA new AI web application vulnerable to prompt injection is running in one of your Kubernetes clustersâ]
- [T1611] Escape to Host â Not mentioned.
- [T1068] Exploitation for Privilege Escalation â Privilege changes across the Kubernetes cluster suggest escalation [âunusual service behavior and privilege changes across the clusterâ]
- [T1090.003] Multi-hop Proxy â Outbound traffic was quietly routed through a trusted SaaS provider, functioning as a proxy/VPN channel [âoutbound traffic that is quietly routing through a trusted SaaS providerâ]
- [T1133] External Remote Services â The trusted SaaS provider was used as a tunneling path for C2 [âSoftware as a service (SaaS) tunneling virtual private network (VPN) as C2â]
- [T1552.001] Credentials in Files â Secrets were exposed in client-side code and later in storage locations [âexposing cloud credentials due to embedded secrets in client-side codeâ, âidentified exposed credentials in a storage locationâ]
- [T1053.007] Container and Resource Discovery â Not mentioned.
- [T1525] Implant Internal Image â A previously unseen service continued running after the pod was terminated, suggesting persistence via a malicious service [âa previously unseen service continues running in the environmentâ]
- [T1213] Data from Information Repositories â Exposed credentials were discovered in a storage bucket [âCredentials exposed in storage bucketâ]
- [T1041] Exfiltration Over C2 Channel â Unusual outbound HTTPS traffic was used for exfiltration [âunusual outbound HTTPS traffic originating from systems that shouldnât be communicating externallyâ]
- [T1105] Ingress Tool Transfer â Not mentioned.
Indicators of Compromise
- [Organization/Project names ] incident response game and training content â Backdoors & Breaches, Datadog, SecurityHQ
- [Platforms/Services ] affected environments and attack surfaces â Kubernetes, GitHub Actions, cloud environment, SaaS provider
- [Credential artifacts ] abused or exposed secrets â long-lived API tokens, cloud credentials, developer credentials
- [Storage locations ] exposed or accessed for secrets and data â storage bucket, credential store
- [Traffic patterns ] suspicious network activity â outbound HTTPS traffic, unusual API activity
- [Behavioral indicators ] persistence and access anomalies â additional credential creation, malicious service, backdoored role trust policy
Read more: https://securitylabs.datadoghq.com/articles/backdoors-and-breaches-new-scenarios/