{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/httpproxy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["opencanary","honeypot","httpproxy","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Security Onion Solutions"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious attempts to use an OpenCanary node as an HTTP proxy. OpenCanary is a low-interaction honeypot designed to detect intruders on a network. An attacker attempting to use an OpenCanary node as an HTTP proxy is a strong indicator of reconnaissance or lateral movement, as they are attempting to route their traffic through the honeypot. This activity is logged by OpenCanary and can be detected with appropriate monitoring. The default configuration of OpenCanary includes an HTTPPROXY service that listens for proxy requests. Defenders should monitor OpenCanary logs for event ID 7001, which indicates an attempted HTTP proxy login.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker performs network reconnaissance to identify potential targets, including the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to configure their system or tools to use the OpenCanary node as an HTTP proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker sends HTTP requests through the configured proxy, attempting to reach other systems on the network.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the attempted proxy connection with event ID 7001.\u003c/li\u003e\n\u003cli\u003eThe defender detects the suspicious HTTP proxy attempt in the OpenCanary logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful HTTP proxy attempt indicates that an attacker is actively exploring the network and attempting to move laterally. This could lead to further compromise of sensitive systems and data exfiltration. While the OpenCanary node itself is a honeypot and not a production asset, the detection of proxy attempts signals a breach and ongoing malicious activity within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOpenCanary HTTPPROXY Login Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized proxy attempts on OpenCanary nodes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the source and target of the attempted proxy connection.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary configuration to ensure that the HTTPPROXY service is properly configured and secured.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential lateral movement by attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T18:22:34Z","date_published":"2024-10-26T18:22:34Z","id":"/briefs/2024-10-opencanary-httpproxy/","summary":"Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.","title":"OpenCanary HTTPPROXY Login Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-httpproxy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Contour"],"_cs_severities":["high"],"_cs_tags":["contour","lua","code-injection","httpproxy","cve-2026-41246"],"_cs_type":"advisory","_cs_vendors":["Project Contour"],"content_html":"\u003cp\u003eProject Contour is susceptible to Lua code injection within its cookie rewriting functionality. The vulnerability arises from insufficient sanitization when user-controlled values are interpolated into Lua source code using Go\u0026rsquo;s \u003ccode\u003etext/template\u003c/code\u003e. This affects Contour versions 1.19.0 through 1.33.3. An attacker with the ability to create or modify \u003ccode\u003eHTTPProxy\u003c/code\u003e resources can inject arbitrary Lua code by crafting malicious values in \u003ccode\u003espec.routes[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e or \u003ccode\u003espec.routes[].services[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e. While the injected code executes within the attacker\u0026rsquo;s own route, the shared nature of the Envoy proxy allows for potential escalation of privileges, including reading Envoy\u0026rsquo;s xDS client credentials and causing denial of service for other tenants. This vulnerability is resolved in Contour versions v1.33.4, v1.32.5, and v1.31.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains RBAC permissions to create or modify \u003ccode\u003eHTTPProxy\u003c/code\u003e resources within the Contour environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eHTTPProxy\u003c/code\u003e resource containing a \u003ccode\u003ecookieRewritePolicies\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003ecookieRewritePolicies\u003c/code\u003e, the attacker injects Lua code into the \u003ccode\u003epathRewrite.value\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker applies the crafted \u003ccode\u003eHTTPProxy\u003c/code\u003e resource, deploying the malicious configuration to Contour.\u003c/li\u003e\n\u003cli\u003eContour, using the Envoy proxy, processes the \u003ccode\u003eHTTPProxy\u003c/code\u003e resource, interpolating the attacker-controlled value into the Lua filter.\u003c/li\u003e\n\u003cli\u003eWhen traffic is processed on the attacker\u0026rsquo;s route, the injected Lua code executes within the Envoy proxy.\u003c/li\u003e\n\u003cli\u003eThe injected Lua code attempts to read Envoy\u0026rsquo;s xDS client credentials from the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained xDS client credentials to read all Contour xDS configuration, including TLS certificates and private keys of other tenants, or to cause a denial of service for other tenants sharing the Envoy instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit allows attackers to execute arbitrary code within the Envoy proxy, potentially leading to credential theft and denial of service. Specifically, an attacker can steal TLS certificates and private keys of other tenants within the Contour environment. This could compromise sensitive data and disrupt services. If xDS credentials can be obtained, an attacker can then modify/exfiltrate service mesh configuration details.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Contour to version v1.33.4, v1.32.5, or v1.31.6 to remediate the Lua code injection vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor HTTPProxy resource creation and modification events for suspicious patterns or unexpected values in the \u003ccode\u003espec.routes[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e and \u003ccode\u003espec.routes[].services[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement RBAC least privilege principles to restrict access to creating and modifying \u003ccode\u003eHTTPProxy\u003c/code\u003e resources, mitigating the initial access vector required to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-contour-lua-injection/","summary":"Contour's Cookie Rewriting feature is vulnerable to Lua code injection; an attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the `spec.routes[].cookieRewritePolicies[].pathRewrite.value` or `spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value` fields, resulting in arbitrary code execution in the Envoy proxy.","title":"Contour HTTPProxy Lua Code Injection via Cookie Path Rewrite","url":"https://feed.craftedsignal.io/briefs/2024-01-09-contour-lua-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Httpproxy","version":"https://jsonfeed.org/version/1.1"}