Threat Research

“WireServing” Up Credentials: Escalating Privileges in Azure Kubernetes Services

GoogleCloudIntel

Microsoft Azure Kubernetes Services (AKS) had a privilege escalation vulnerability disclosed by Mandiant, enabling attackers to access credentials and sensitive information in a cluster. Microsoft fixed the issue and emphasized securing configurations and NetworkPolicies to prevent exploitation. #AKS #WireServer

Keypoints

  • Vulnerability disclosure: Mandiant reported the vulnerability to Microsoft, which has since been fixed.
  • Attack vector: An attacker could exploit the vulnerability to escalate privileges and access credentials within the AKS cluster.
  • Security configurations: Proper authentication, NetworkPolicies, and workload restrictions are essential for securing Kubernetes clusters.
  • Metadata server risks: Access to the metadata server can lead to credential theft if not properly secured.
  • Bootstrapping challenges: The process of securely bootstrapping Kubernetes nodes poses significant security challenges.
  • Mitigation strategies: Implementing restrictive NetworkPolicies can prevent unauthorized access and exploitation.

MITRE Techniques

  • [T1003] Credential Dumping – Brief description of how it was used. ‘Attackers may attempt to extract sensitive credentials from compromised services or applications.’
  • [T1068] Privilege Escalation – Brief description of how it was used. ‘Exploiting vulnerabilities to gain elevated access to resources that are normally protected from user access.’
  • [T1134] Access Token Manipulation – Brief description of how it was used. ‘Manipulating access tokens to gain unauthorized access to resources.’
  • [T1071] Application Layer Protocol – Brief description of how it was used. ‘Using application layer protocols to communicate with command and control servers or to exfiltrate data.’

Indicators of Compromise

  • [IP] Metadata server / WireServer endpoints – 169.254.169.254, 168.63.129.16
  • [URL] Endpoints used for credential provisioning and retrieval – http://169.254.169.254/machine/?comp=goalstate, http://168.63.129.16:32526/vmSettings
  • [File Name] Wireserver.key, protected_settings.bin – keys and encrypted provisioning data used in node configuration

Read more: https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint