In November last year, Google already increased the size of payments: then the company tripled rewards for exploits for previously unknown bugs in the Linux kernel. The idea was that people would be able to discover new ways to exploit the kernel, in particular related to Kubernetes running in the cloud. Then the researchers were asked to compromise the Google kCTF (Kubernetes Capture The Flag) cluster and get a “flag” in the context of the competition.

NOTE: Let me remind you that we wrote that Apple paid $100,000 for macOS camera and microphone hack, and also that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.

Google reports that the bug-finding program has been a success, receiving nine reports in three months and disbursing more than $175,000 to researchers. During this time, five 0-day vulnerabilities and two exploits for fresh 1-day bugs were discovered. According to Google, thanks to the bug bounty, three of these issues have already been fixed and detailed, including CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (report).

As a result, the program will be extended until at least the end of 2022, and will also undergo a number of changes. Whereas in November it was decided that experts would receive a reward of up to $50,337 for critical vulnerabilities (depending on the severity of the problem), the maximum reward has now been increased to $91,337.

The sum of payments depends on several factors: whether the problem found is a 0-day vulnerability, whether it requires unprivileged user namespaces, whether it uses some new methods of exploitation. Each of these points comes with a bonus of $20,000, which ultimately raises the payout for a working exploit to $91,337.

The post Google Offers up to $91,000 for Linux Kernel Vulnerabilities appeared first on Gridinsoft Blog.

Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies.

Researchers say the attacks appear to be a continuation of a campaign that was discovered last April. Although that campaign peaked in June and then dwindled, new attacks began in late May 2021 when researchers noticed a sudden increase in deployments of the open source machine learning library TensorFlow, adapted for mining.

In this case, deployments in different clusters occurred simultaneously.

Although the pods used by the hackers were taken from the official Docker Hub repository, they were modified to mine cryptocurrency. At the same time, all pods are named according to the sequential-pipeline-{random pattern} pattern, which now makes it quite easy to detect possible compromises.

According to the company, in order to gain access to clusters and deploy miners to them, attackers search the network for incorrectly configured and publicly available Kubeflow dashboards that should be open only for local access.

Attackers deploy at least two separate modules on each of the compromised clusters: one for CPU mining and the other for GPU mining. So, XMRig is used to mine Monero using a CPU, and Ethminer is used to mine Ethereum on a GPU.

Microsoft recommends that administrators always enable authentication on Kubeflow dashboards if they cannot be isolated from the internet and control their environments (containers, images, and the processes they run).

Let me remind you that I wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.

The post Microsoft warns of mining attacks on Kubernetes clusters appeared first on Gridinsoft Blog.

The TeamTNT group has been active since at least April 2020 and started with attacks on incorrectly configured Docker installations, infecting them with miners and bots for DDoS attacks.

Then it became known that the hackers slightly changed their tactics: they began to attack Kubernetes, and also began to search for credentials from Amazon Web Services on the infected servers and steal them.

In addition, there have now been recorded cases of hackers posting malicious images to the Docker Hub, and researchers have discovered that the group is using the Weave Scope tool in their attacks, designed to visualize and monitor cloud infrastructure.

It is also known that TeamTNT comes with a worm component that turns every infected server into a new botnet host and forces it to scan the network for new potential victims; steals SSH credentials and can be used for DDoS attacks (although this feature has not yet been used by hackers).

As a result, grouping is one of the main threats to cloud environments today.

The rich functionality is now paying off for TeamTNT authors, Trend Micro now reports. As mentioned above, according to analysts’ estimates, in just three months, mining malware successfully compromised more than 50,000 systems.

Most of the victims are systems hosted by Chinese cloud providers. This data correlates well with the statistics of the Lacework company, published in early 2021.

Let me remind you that I also talked about the fact that Microsoft warns of the growing number of cyberattacks using web shells.

The post TeamTNT mining botnet infected over 50,000 systems in three months appeared first on Gridinsoft Blog.