DEF CON Cloud Village and Black Hat USA: See New Unit 42 Cloud Research

Executive Summary

One of our major efforts in the Prisma Cloud Security Research team is improving cloud security for everyone. On an ongoing basis, we discover new threats targeting cloud environments as well as identifying zero-day vulnerabilities in cloud infrastructure. We strictly follow responsible disclosure processes and publish our findings under the Unit 42 research blog. This August, our researchers will unveil their newest findings in three different talks in the DEF CON 29 Cloud Village and the Black Hat USA 2021 conference:

Aviv Sasson @ Black Hat USA 2021, Wednesday, August 4, 11:20 AM PDT

Yuval Avrahami @ DEF CON 29 Cloud Village, Friday, August 6, 2:05 PM PDT

Daniel Prizmant @ DEF CON 29 Cloud Village, Saturday, August 7, 10:45 AM PDT

Read on to get more information about what to expect during each of these talks. 


Findings on Cloud Infrastructure Security

Since 2020 and throughout this year, we have discovered significant vulnerabilities in cloud infrastructure, including security issues that directly impact the public cloud. For every finding we make, we follow responsible disclosure guidelines. While some of our research is still under embargo, we have been able to publish the issues that we reported and have been successfully resolved.

At Black Hat USA 2020, Security Researcher Yuval Avrahami disclosed the findings of his security audit of Kata Containers, a container runtime that uses lightweight VMs to isolate workloads. Kata Containers can be used as the underlying runtime of container orchestration tools, such as Docker and Kubernetes, in aim of improving workload isolation and benefiting from the security advantages of VMs. Some cloud providers rely on Kata's security to separate workloads in multi-tenant environments.

In his presentation, Yuval revealed a complete breakout of a Kata Container that would have allowed attackers to execute malicious code outside the VM on host machines running Kata. Prior to BlackHat, Yuval responsibly disclosed his findings to Kata maintainers, which were fixed and assigned 4 CVEs. The full presentation slides can be found here.

At the upcoming DEF CON 29 Cloud Village, Yuval will reveal WhoC, a new research tool dedicated to researching CaaS (Containers-as-a-Service) platforms. The new tool runs as a container image that extracts the container runtime binary from its underlying host, enabling security researchers and engineers to better understand how their containers run on these platforms. WhoC provides visibility into CaaS offerings, making it easier to trust the security of environments that were notoriously hard to look into. We invite you to join Yuval to hear more about this on Friday, August 6th

Earlier this year, Security Researcher Daniel Prizmant released his research on Siloscape, a new malware specifically targeting Windows Containers to compromise cloud instances. Prior to finding Siloscape, Daniel conducted a long reverse-engineering research of the internals of Windows Containers. In his publication last year, he revealed a complete breakout of Windows Containers.

At DEF CON 29 Cloud Village, Daniel will discuss the internals of Windows Containers, and why the threat of a container breakout is still a major threat when using cloud workloads based on Windows. In his presentation, Daniel will also elaborate on how Siloscape operates, and what security measures can be taken to protect against it.


Container Honeypots Research

Since the beginning of 2020, Security Researcher Aviv Sasson has been closely monitoring attackers in the wild with our wide network of container honeypots. These honeypots are network entities that behave like real container instances and lure threat actors to use and expose their exploits and malware to us. Throughout this year, Aviv and Unit 42 researchers discovered a variety of malware samples operated by different threat groups, including Cetus and Pro-Ocean.

Aviv recently completed his research on a sample of 50 days of honeypot operation, and found that open container instances are attacked approximately every 90 minutes. In his Black Hat USA 2021 session, Aviv will present the summary of his findings and discuss the malware and groups we identified as well as their goals.


The Research Continues

Our goal to contribute to the cloud community and improve cloud security doesn’t end here. We are continuously conducting research to discover new vulnerabilities in cloud infrastructures and catch threat actors targeting the cloud, all while our researchers work closely with the Prisma Cloud product and development teams to build and enhance Prisma Cloud. We hope you’ll join us at the sessions described in this post, and invite you to learn more about how Prisma Cloud keeps organizations secure