Prisma Cloud Alert Details
Alert ID: PRISMA-DEPLOY-CONTAINER-1610-7842
Alert Time: 2024-02-13 09:15:33 EST
Severity: HIGH (82/100)
Source: Prisma Cloud Compute
Rule: “Unauthorized Container Deployment – Crypto Mining”
MITRE ATT&CK: T1610 – Deploy Container
Alert Details:
Detection: Unauthorized container deployed in Kubernetes cluster
Cluster: dev-eks-cluster-02
Namespace: default (unauthorized namespace)
Image: docker.io/monero/xmrig:latest
Container Name: kube-system-worker (masquerading as system pod)
Deployment Time: 09:08 EST
Container Details:
– Image Source: Public Docker Hub (not approved registry)
– Image Tag: latest (unsigned, untrusted)
– Privileges: Privileged mode enabled
– Host Network: Enabled
– Resource Limits: None (unlimited CPU)
Behavior Analysis:
– CPU Usage: 95% immediately after start
– Network Connections:
– mining.pool.support:3333 (Monero mining pool)
– xmr-usa.dwarfpool.com:8005
– 185.143.221[.]89:443 (C2)
– Processes:
– /bin/xmrig –config=config.json
– /bin/bash -c while true; do curl -s http://194.165.16[.]89/keepalive; done
Anomaly Detection:
– No Kubernetes deployment or service associated
– Container created via direct Docker API (not kubectl)
– Source: Worker node IP 10.0.78.34 (compromised node)
– Image not in approved registry list
– Mining behavior detected
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Prisma Cloud alert | Prisma Cloud Console | Confirmed unauthorized crypto-mining container |
| 2. Immediate Containment | Kill container, block image | kubectl, Prisma | Container terminated; image blocked |
| 3. Source Investigation | Identify compromised node | Kubernetes Audit Logs | Worker node 10.0.78.34 had SSH compromise |
| 4. Node Remediation | Isolate and reimage node | AWS EC2, Ansible | Node isolated; reimaged from clean AMI |
| 5. Cluster-wide Check | Scan for other malicious containers | Prisma, kube-bench | No other unauthorized containers found |
| 6. Access Review | Review Kubernetes RBAC | Kubernetes Audit | Node’s kubelet credentials abused |
Jira Incident Report
Ticket: SOC-2024-068
Summary: T1610 – Unauthorized Crypto-Mining Container Deployed in Dev Cluster
Status: RESOLVED
Resolution: MALICIOUS – Container Removed
Priority: P2 – MEDIUM
Labels: T1610, deploy-container, crypto-mining, kubernetes, prisma-cloud
Components: Container-Security, Cloud-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Prisma Cloud Compute.
- Alert: “Unauthorized Container Deployment – Crypto Mining”.
- Cluster: dev-eks-cluster-02.
- Time: 2024-02-13 09:15 EST.
- Technique: MITRE ATT&CK T1610 – Deploy Container.
2. Technical Analysis:
- Attack Chain:
1. Attacker exploited SSH on worker node 10.0.78.34 (weak password)
2. Gained root access to node
3. Used node’s kubelet credentials to deploy container via Docker API (bypassing Kubernetes)
4. Deployed xmrig miner masquerading as kube-system-worker
5. Container connected to mining pools and C2
- Container Details:
- Image: docker.io/monero/xmrig:latest (public, untrusted)
- Name: kube-system-worker (evasion)
- Privileges: Privileged, host network
- Resources: Unlimited CPU (caused node slowdown)
- Malicious Activity:
- Monero mining at ~95% CPU
- Connections to mining pools
- Beacon to C2 every 60 seconds
- Node Compromise:
- SSH brute force from IP 45.134.225[.]78
- Root access obtained due to weak password
- No MFA on SSH (should be key-only)
3. Investigation Findings:
- Timeline:
08:45 – SSH brute force from 45.134.225[.]78
08:47 – Attacker gains root access
08:50 – Attacker downloads kubectl, examines cluster
08:55 – Attacker deploys miner via Docker API
09:08 – Miner container starts
09:12 – Prisma Cloud detects crypto-mining behavior
09:15 – Alert triggers
09:16 – Container terminated
09:20 – Node isolated
- Impact:
- Mining ran for 8 minutes
- Estimated cost: $50 in cloud compute
- No customer data accessed
- No lateral movement
- Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
– Mining Pools: mining.pool.support:3333, xmr-usa.dwarfpool.com:8005
– C2: 185.143.221[.]89:443
Container:
– Image: docker.io/monero/xmrig:latest
– Name: kube-system-worker
4. Containment Actions:
- Immediate Actions:
- Terminated malicious container.
- Blocked mining pool domains at firewall.
- Isolated compromised worker node.
- Reimaged node from clean AMI.
- Cluster-wide Actions:
- Scanned all nodes for similar activity (none).
- Reviewed all containers for unauthorized images.
- Rotated all kubelet credentials.
- Prevention:
- Blocked public Docker Hub registry (allow only approved).
- Implemented admission controller to validate images.
- Enforced resource limits.
5. Root Cause Analysis:
- Primary Cause: Weak SSH password on worker node.
- Contributing Factors:
- SSH exposed to internet (should be internal only).
- No MFA or key-based authentication.
- Kubelet credentials allowed container deployment.
- No admission control for untrusted images.
6. Business Impact:
- Operational Impact: Node offline for 2 hours; miner consumed resources.
- Financial Impact: ~$50 in compute costs.
- Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Container terminated.
Node reimaged.
Credentials rotated.
Technical Controls Enhanced:
Disabled SSH password authentication (key only).
Moved SSH to internal VPN only.
Implemented image allowlist in admission controller.
Enabled Prisma Cloud runtime protection.
Deployed network policies to block mining pools.
8. Conclusion:
Attackers compromised a worker node via weak SSH and deployed a crypto-mining container. Prisma Cloud detected the unauthorized container and mining behavior within minutes. The container was terminated, node reimaged, and controls enhanced.
Closure Rationale: Container removed; node secured; mining blocked.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 11:00 EST