Containerization revolutionized cloud computing and modern IT infrastructure. The convenience it has created allows organizations to build, test and deploy software faster. However, container security was not addressed until recently and many are still catching up on tools that secure cloud container environments. The deficiency of such tools is another major concern for developers, which triggered a cloud pentester at Rhino Security Labs, a Washington based boutique penetration testing and security assessment firm, to develop the Cloud Container Attack Tool (also known as CCAT).
The What and How
CCAT is an open source post exploitation framework commonly used to test security of container environments in AWS and GCP platforms. It enables developers to find backdoors and exploits in the container environment.
As mentioned earlier, CCAT is a post exploitation framework which means that it assumes that your credentials or your GCP/ AWS accounts have been compromised. After which, you can explore repositories, pull images from the registry, create backdoors in the image and push them back into the repository. A typical scenario is shown in the image below from GitHub.
Installation of CCAT
One can very easily clone the repository to install CCAT as shown below:
Before running CCAT, configure your AWS credentials with your current user. You can refer to this article to learn more about it.
Once it has been installed, type the following command in the CCAT directory:
CCAT and Cryptojacking
Cryptojacking is yet another reason for malicious actors to target container environments. Cryptojacking is the unauthorized process of accessing an individual’s computer to mine cryptocurrencies.
Crypto mining is a process where a network of computers known as miners solve cryptographic equations for a payment. This procedure is often quite expensive, one which requires a lot of computing power that an ordinary computer cannot handle. There are many browser-based miner mechanisms that can generate the power directly. But as stated above, they are simply not enough.
A mining pool is simply a group of crypto miners who pool resources over a network, to strengthen their chances at successfully mining for cryptocurrencies. In this demo, we have used Monero cryptocurrencies. To get going, you need to create a Monero wallet address. You can use this link to do it.
Creating a Backdoor on Web App Container
Now let us try to create a backdoor in an existing container. We can use the container dubbed “backdoor-example” that was already pushed to AWS ECR. It is a simple Hello World docker container. The dockerfile commands for the container is as given below:
Now, let’s run the CCAT tool.
- Firstly, we enumerate ECR repositories to configure the profile. Remember to configure AWS CLI credentials before this:
- Once we select this option, we enter the AWS profile name as shown below:
- Now, we select the respective region where the repository is stored.
- Once you have selected the region, the tool automatically enumerates the repositories. It’s time to list the repositories in a table format.
- This is the image we were able to create:
- Now, we pull the repository as shown below, to make changes in the image. You can choose to pull all the enumerated repositories together or single repos:
- Select the Docker Backdoor option
- Add all necessary details:
- Once the backdoored docker image is built, we push it.
- Ensure that you have provided accurate information:
- We push the repository
At its core, CCAT is an automation tool used in instances of post exploitation attacks. We can perform similar attacks with GCP as well. Be cautious while performing such attacks and only do it in environments where you have permission.
For more information on CCAT, visit GitHub.