Hello and welcome to the Monday, March 6, 2020,

edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

First big shout out to our Science Technology Institute College graduates. We had our commencement ceremony this weekend

in Washington, D.C. and, well, 313 graduates made up the glass of 2022 and about 50, 60 or so, I think,

were actually present in person at the ceremony.

So big shout out here.

Congratulations and thanks to everybody who was able to attend and sometimes traveled quite far to attend our graduation ceremony.

But well, let's talk about some current attacks.

We have a great write-up, I think, by Sysdick,

who looked into some recent attacks against Kubernetes clusters in AWS.

What happened here was that attackers first gained access to the Kubernetes cluster that were exposed to the Internet.

Yes, they installed a crypto miner, but I think that's less interesting here.

What's more interesting is that then they used the AWS instance metadata service

to actually enumerate other AWS resources and also find credentials.

That's a technique that's quite common in attacks against AWS.

We actually do have sort of an exercise for that even in SEC 522, just to illustrate the dangers of exposing these kind of services and what can happen if an attacker gains access to this.

Once they found the credentials, well, then of course they used the credentials to move laterally and then continuously gathered more information,

exfiltrated data, and also disabled logging.

I think it's also a good reminder,

and I mentioned this before in the podcast,

maybe not recently,

...