{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ingress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx Ingress Controller"],"_cs_severities":["high"],"_cs_tags":["kubernetes","lfi","nginx","ingress","cloud"],"_cs_type":"advisory","_cs_vendors":["Kubernetes","Nginx"],"content_html":"\u003cp\u003eThis brief focuses on detecting local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. These attacks are identified by analyzing Kubernetes logs for suspicious patterns indicative of LFI attempts. The detection leverages Kubernetes logs, specifically parsing the \u003ccode\u003erequest\u003c/code\u003e field to identify LFI patterns. Successful exploitation can lead to attackers reading sensitive files from the server, potentially exposing critical information. This activity is significant because it can lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. The provided detection logic originates from Splunk's security content and is designed to work with Kubernetes logs ingested via Splunk Connect for Kubernetes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Kubernetes Nginx ingress controller vulnerable to LFI.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing an LFI payload within the URL. This payload aims to access sensitive files on the server.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the Kubernetes Nginx ingress controller.\u003c/li\u003e\n\u003cli\u003eThe Nginx ingress controller processes the request and attempts to access the file specified in the malicious payload.\u003c/li\u003e\n\u003cli\u003eIf the LFI vulnerability is successfully exploited, the targeted file's contents are exposed to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the sensitive file from the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exfiltrated file contents for sensitive information, such as credentials or configuration details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful LFI attack against a Kubernetes Nginx ingress controller can lead to the exposure of sensitive data, potentially including configuration files, credentials, or internal application code. This can lead to further exploitation, such as privilege escalation or lateral movement within the Kubernetes cluster. The number of affected systems and organizations depends on the scope of the vulnerable ingress controllers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect LFI attempts against Kubernetes Nginx ingress controllers based on suspicious URL patterns and log data.\u003c/li\u003e\n\u003cli\u003eEnsure that Kubernetes logs are being ingested through Splunk Connect for Kubernetes, as this is a prerequisite for the detection logic.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified LFI vulnerabilities in Kubernetes Nginx ingress controllers to prevent successful exploitation.\u003c/li\u003e\n\u003cli\u003eUse the provided drilldown searches to pivot into detection results based on host and risk events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-kubernetes-nginx-lfi/","summary":"Detection of local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers through analysis of Kubernetes logs.","title":"Kubernetes Nginx Ingress LFI Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kubernetes-nginx-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - Ingress","version":"https://jsonfeed.org/version/1.1"}