Prisma Cloud Alert Details
Alert ID: PRISMA-DEPLOY-CONTAINER-1610-7842
Alert Time: 2024-02-13 09:15:33 EST
Severity: HIGH (82/100)
Source: Prisma Cloud Compute
Rule: “Unauthorized Container Deployment – Crypto Mining”
MITRE ATT&CK: T1610 – Deploy Container
Alert Details:
Detection: Unauthorized container deployed in Kubernetes cluster
Cluster: dev-eks-cluster-02
Namespace: default (unauthorized namespace)
Image: docker.io/monero/xmrig:latest
Container Name: kube-system-worker (masquerading as system pod)
Deployment Time: 09:08 EST
Container Details:
– Image Source: Public Docker Hub (not approved registry)
– Image Tag: latest (unsigned, untrusted)
– Privileges: Privileged mode enabled
– Host Network: Enabled
– Resource Limits: None (unlimited CPU)
Behavior Analysis:
– CPU Usage: 95% immediately after start
– Network Connections:
– mining.pool.support:3333 (Monero mining pool)
– xmr-usa.dwarfpool.com:8005
– 185.143.221[.]89:443 (C2)
– Processes:
– /bin/xmrig –config=config.json
– /bin/bash -c while true; do curl -s http://194.165.16[.]89/keepalive; done
Anomaly Detection:
– No Kubernetes deployment or service associated
– Container created via direct Docker API (not kubectl)
– Source: Worker node IP 10.0.78.34 (compromised node)
– Image not in approved registry list
– Mining behavior detected
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Prisma Cloud alert
Prisma Cloud Console
Confirmed unauthorized crypto-mining container
2. Immediate Containment
Kill container, block image
kubectl, Prisma
Container terminated; image blocked
3. Source Investigation
Identify compromised node
Kubernetes Audit Logs
Worker node 10.0.78.34 had SSH compromise
4. Node Remediation
Isolate and reimage node
AWS EC2, Ansible
Node isolated; reimaged from clean AMI
5. Cluster-wide Check
Scan for other malicious containers
Prisma, kube-bench
No other unauthorized containers found
6. Access Review
Review Kubernetes RBAC
Kubernetes Audit
Node’s kubelet credentials abused
Jira Incident Report
Ticket: SOC-2024-068
Summary: T1610 – Unauthorized Crypto-Mining Container Deployed in Dev Cluster
Status: RESOLVED
Resolution: MALICIOUS – Container Removed
Priority: P2 – MEDIUM
Labels: T1610, deploy-container, crypto-mining, kubernetes, prisma-cloud
Components: Container-Security, Cloud-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Prisma Cloud Compute.
Alert: “Unauthorized Container Deployment – Crypto Mining”.
Cluster: dev-eks-cluster-02.
Time: 2024-02-13 09:15 EST.
Technique: MITRE ATT&CK T1610 – Deploy Container.
2. Technical Analysis:
Attack Chain:
1. Attacker exploited SSH on worker node 10.0.78.34 (weak password)
2. Gained root access to node
3. Used node’s kubelet credentials to deploy container via Docker API (bypassing Kubernetes)
4. Deployed xmrig miner masquerading as kube-system-worker
5. Container connected to mining pools and C2
Container Details:
Image: docker.io/monero/xmrig:latest (public, untrusted)
Name: kube-system-worker (evasion)
Privileges: Privileged, host network
Resources: Unlimited CPU (caused node slowdown)
Malicious Activity:
Monero mining at ~95% CPU
Connections to mining pools
Beacon to C2 every 60 seconds
Node Compromise:
SSH brute force from IP 45.134.225[.]78
Root access obtained due to weak password
No MFA on SSH (should be key-only)
3. Investigation Findings:
Timeline:
08:45 – SSH brute force from 45.134.225[.]78
08:47 – Attacker gains root access
08:50 – Attacker downloads kubectl, examines cluster
08:55 – Attacker deploys miner via Docker API
09:08 – Miner container starts
09:12 – Prisma Cloud detects crypto-mining behavior
09:15 – Alert triggers
09:16 – Container terminated
09:20 – Node isolated
Impact:
Mining ran for 8 minutes
Estimated cost: $50 in cloud compute
No customer data accessed
No lateral movement
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
– Mining Pools: mining.pool.support:3333, xmr-usa.dwarfpool.com:8005
– C2: 185.143.221[.]89:443
Container:
– Image: docker.io/monero/xmrig:latest
– Name: kube-system-worker
4. Containment Actions:
Immediate Actions:
Terminated malicious container.
Blocked mining pool domains at firewall.
Isolated compromised worker node.
Reimaged node from clean AMI.
Cluster-wide Actions:
Scanned all nodes for similar activity (none).
Reviewed all containers for unauthorized images.
Rotated all kubelet credentials.
Prevention:
Blocked public Docker Hub registry (allow only approved).
Implemented admission controller to validate images.
Enforced resource limits.
5. Root Cause Analysis:
Primary Cause: Weak SSH password on worker node.
Contributing Factors:
SSH exposed to internet (should be internal only).
No MFA or key-based authentication.
Kubelet credentials allowed container deployment.
No admission control for untrusted images.
6. Business Impact:
Operational Impact: Node offline for 2 hours; miner consumed resources.
Financial Impact: ~$50 in compute costs.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Container terminated.
Node reimaged.
Credentials rotated.
Technical Controls Enhanced:
Disabled SSH password authentication (key only).
Moved SSH to internal VPN only.
Implemented image allowlist in admission controller.
Enabled Prisma Cloud runtime protection.
Deployed network policies to block mining pools.
8. Conclusion:
Attackers compromised a worker node via weak SSH and deployed a crypto-mining container. Prisma Cloud detected the unauthorized container and mining behavior within minutes. The container was terminated, node reimaged, and controls enhanced.
Closure Rationale: Container removed; node secured; mining blocked.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 11:00 EST