Information Technology

Microsoft has revealed how the Trickbot trojan botnet has been using compromised MikroTik routers for stealthy communications with infected PCs.Trickbot, known for stealing banking credentials and delivering ransomware, seemed unstoppable once. It continued to thrive despite an effort led by Microsoft in 2020 to patch millions of infected PCs and take down most of its command and control (C2) servers, with the exception of its Internet of Things (IoT) C2 devices, until it finally shut down earlier this year. 

ZDNet Recommends

Now, Microsoft has filled in one detail about how the TrickBot gang’s IoT C2 devices, namely compromised MikroTik routers, were being used since 2018 for stealthy communication with infected PCs. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Back in 2018, when many hackers were targeting CVE-2018-14847 in MikroTik’s RouterOS software, security researchers found Tickbot was using compromised MikroTik routers for C2 infrastructure. Routers are a useful C2 tool since they allow communication between C2 and Trickbot-infected PCs in a way that standard defenses can’t detect. Microsoft security researchers say they have now cleared up exactly how the devices were being used in its infrastructure.   After gaining control of the router through a compromised password, Trickbot used RouterOS’s SSH shell to create a set of commands that RouterOS understands but which don’t make sense on normal Linux-based shells. SSH is intended to enable secure network communications over an unsecured network. The ultimate goal was to redirect the compromised router’s traffic. This command created a new network rule that redirected traffic from the infected device to a server and the redirected traffic was received from port 449 and redirected to port 80, Microsoft explains. “The said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports 443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the past,” Microsoft adds. “As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices,” Microsoft said. It has included details of how to find out if your routers have been affected.Despite Trickbot’s notoriety and durability, researchers at Intel 471, which was involved in the 2020 takedown, said that by February this year the Trickbot malware was on its last legs, with former developers moving on to new malware like BazarLoader and the Conti ransomware gang. “Intel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet. Trickbot, after all, is relatively old malware that hasn’t been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognized,” its researchers wrote. More

The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks. Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet’s existence. According to the agencies, the APT is supported by the Russian General Staff Main Intelligence Directorate (GRU) and has been linked to the use of BlackEnergy malware against Ukraine’s electricity grid, Industroyer, NotPetya, and cyberattacks against Georgia.  “Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices,” the agencies warned.  This week, cybersecurity researchers from Trend Micro said that while the malware is “state-sponsored”, it does not appear to be inactive use against targets that would have Russia’s state interests at heart. The botnet is vast, and over 150 past and current command-and-control (C2) server addresses have been traced so far that they belong to the network.  However, WatchGuard Firebox and Asus devices compromised by the botnet “do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage” — an important point to note considering the current invasion of Ukraine by Russia’s military.  Also: Cloudflare debuts Friendly Bot validation serviceWhile the botnet is busy enslaving generic, open, and exposed devices online, Trend Micro suspects that amassing nodes could then be used to “build an infrastructure for further attacks on high-value targets.” First detected in 2019, Cyclops Blink is written in C and uses TCP to communicate with a C2 server. The malware makes use of OpenSSL encryption functions and will attempt to brute-force devices to obtain access. The modular malware is able to read and write from a device’s flash memory, enabling persistence. Trend Micro also says that these functions may allow it to “survive factory resets.” “Although it cannot be used as proof of attribution, the preceding code reminded us of a routine from the third-stage code of VPNFilter’s process called “dstr” that was intended to “brick” the infected device,” the researchers say.  Other modules gather device information and allow the botnet to download and execute additional files from the web.  “Asus is likely only one of the vendors that are currently being targeted by Cyclops Blink,” the researchers say. “We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus.” In a security advisory published on March 17, Asus said it was aware of Cyclops Blink and is “investigating.”  The vendor has urged customers to reset their devices to a factory default setting, to update their products to the latest firmware, and to change any default administrator credentials to stronger options. In addition, Asus recommends that the Remote Management function, disabled by default, remains so.  “If it is suspected that an organization’s devices have been infected with Cyclops Blink, it is best to get a new router,” Trend Micro added. “Performing a factory reset might blank out an organization’s configuration, but not the underlying operating system that the attackers have modified.” The affected product list is below: GT-AC5300 firmware under 3.0.0.4.386.xxxx GT-AC2900 firmware under 3.0.0.4.386.xxxx RT-AC5300 firmware under 3.0.0.4.386.xxxx RT-AC88U firmware under 3.0.0.4.386.xxxx RT-AC3100 firmware under 3.0.0.4.386.xxxx RT-AC86U firmware under 3.0.0.4.386.xxxx RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx RT-AC3200 firmware under 3.0.0.4.386.xxxx RT-AC2900 firmware under 3.0.0.4.386.xxxx RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx RT-AC87U (EOL) RT-AC66U (EOL) RT-AC56U (EOL)See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloudflare has introduced “Friendly Bots,” a new way to verify an online bot’s identity. Bots are applications designed to automatically perform specific, repetitive tasks online without the need for human oversight. 

ZDNet Recommends

Many bots are set to beneficial tasks such as crawling web pages, for analytics, providing payment services, chatting to website users, and giving them advice or pointing them to the right customer service department — but not all. So-called ‘bad’ bots can be used to scrape user data, send spam, overwhelm a domain with traffic and disrupt services (DoS/DDoS attacks), or perform automatic account access attempts in what is known as credential stuffing.  In an effort to stop malicious bots from causing too much havoc online, some online service providers implement allow and deny lists to stop known bad bots from accessing resources.  However, according to Cloudflare, there are many “well-behaved” bots online — and so it can be a challenge to maintain a balance between the good and the bad.  “At Cloudflare, we manually “verify” good bots, so they don’t get blocked,” the firm says. “Our customers can choose to allowlist any bot that is verified. Unfortunately, new bots are popping up faster than we can verify them.” Therefore, Cloudflare has developed new functionality for customers called “Friendly Bots.” Normally, bots are verified through public forms and documentation provided by a developer, including its IP addresses — whether static or dynamic — rDNS, user agents, and machine learning (ML), the use of smart algorithms that detect patterns in bot behavior and aim to profile the innocent ones.  It can take a few weeks for bots to be verified, but smaller developers may have to join a long queue unless the bot is working at a vast scale.  In the meantime, Cloudflare hopes that by considering a bot ‘friendly’ while it is waiting to be verified, this can cut some of the legwork and time required for good bots to be given the seal of approval.  Friendly Bots will allow users to “auto validate” bot traffic through the Cloudflare dashboard. Users can provide information about a bot, and the company will then be better equipped to verify bots based on their traffic.  “In the past, we’ve struggled to verify bots that did not crawl the web at a large scale,” Cloudflare says. “[…] Bots were sometimes difficult to verify if they did not make thousands of requests to Cloudflare. With Friendly Bots, we’ve eliminated that requirement, introducing a new, dynamic cache that optimizes for fun-sized projects.” In addition, if users in large numbers are submitting the same bot to allow lists, such as through a specific IP address, this bot will be automatically added to the ‘to verify’ list.  “Previously, we required bot operators (e.g. Google) to submit verification data themselves,” the firm added. “If there was a bot you wanted to verify but did not own, you were out of luck. Friendly Bots eliminates this dependency on bot operators. Anyone who can find identifying information can register a bot on their site.” Cloudflare says that Friendly Bots will be launched “soon” and will “reduce false positives, improve crawl-ability, and generally stabilize sites.” Verified bots to are also being added to the Logs feature under Cloudflare Radar.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

LokiLocker, a relatively new form of ransomware, uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality.     Double extortion became a hit last year, when ransomware gangs started stealing files before encrypting them to threaten victims with a sensitive data leak if they didn’t pay up. 

ZDNet Recommends

BlackBerry Threat Intelligence is now warning that LokiLock, first seen in August 2021, now features an “optional wiper functionality” to put pressure on victims in a slightly different way. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Instead of attackers using the threat of leaking a victim’s files to pressure them into paying, LokiLock’s customers threaten to overwrite a victim’s Windows Master Boot Record (MBR), which wipes all files and renders the machine unusable. But that tactic effectively ends all negotiations about payment, of course.Disk-wiper functionality has come into focus recently because of destructive malware attacks on Ukrainian organizations. The US government fears destructive malware could target organizations in the West in retribution for sanctions against Russia. Historically, disk-wiper malware has often been favoured by state-sponsored hackers, as was the case in NotPetya, WhisperGate and HermeticWiper – all directly or loosely connected to Russian state-sponsored actors – where ransomware is a decoy for the true destructive intent. But commercially motivated ransomware that destroys the victim’s computer? It certainly appears to be a different style of ransom negotiation than ransomware linked to Russian actors.  “With a single stroke, everyone loses,” BlackBerry notes. However, Microsoft has been tracking emerging – presumed state-backed or affiliated – Iranian hacking groups that are employing both encryption and destructive malware.  BlackBerry points to some evidence that suggests LokiLocker was developed by Iranian hackers and designed to target English-speaking victims. The evidence: there are very few English spelling errors in the malware’s debugging strings; LokiLocker affiliates are chatting on Iranian hacking forums; and Iran is the only location currently blacklisted for activating encryption. Additionally, some credential-cracking tools distributed in early samples of LokiLocker “seem to be developed by an Iranian cracking team called AccountCrack”.”Although we’ve been unable to reliably assess exactly where the LokiLocker RaaS originates, it is worth mentioning that all the embedded debugging strings are in English, and – unlike the majority of malware originating from Russia and China – the language is largely free of mistakes and misspellings,” BlackBerry notes. “It’s not entirely clear whether this means they truly originate from Iran or that the real threat actors are trying to cast the blame on Iranian attackers,” it said.It’s common for Russia-based ransomware gangs to not activate malware on machines within Commonwealth of Independent States nations – often configured by blacklisting specific language codes within a machine’s language settings.SEE: How Russia’s invasion of Ukraine threatens the IT industry   But BlackBerry says LokiLocker appears to be in beta. The Iran blacklist functionality hasn’t been implemented.  As for the disk-wiper functionality, BlackBerry says the malware will attempt to destroy a system if a ransom isn’t paid within the specified timeframe. It deletes all of a victim’s files, except for system files, and also tries to overwrite the MBR and then, after forcing a Blue Screen of Death error message, reboots the wiped machine and displays the message: “You did not pay us. So we deleted all of your files : ) Loki locker ransomware_”.   Prior to the payment deadline, the malware changes the victim’s login screen and desktop wallpaper to the ransom message, and drops a web file that displays the ransom note on the victim’s desktop detailing the time left “to lose all of your files”. LokiLocker is written in .NET and protected with NETGuard (modified ConfuserEX), using an additional virtualization plugin called KoiVM, according to BlackBerry.”LokiLocker’s use of KoiVM as a virtualizing protector for .NET applications is an unusual method of complicating analysis. We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend,” the company notes.   More

CafePress’s past owner has been fined $500,000 over a litany of security failures and data breaches. CafePress is a US platform offering print-on-demand products including clothing, home decor, and kitchenware. Sellers can sign up to the platform, upload their designs, and CafePress takes a cut of any sales made. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

These businesses require key financial information from sellers and purchasers to operate, and as such, they are expected to securely manage this information and handle transactions with security in mind.  However, CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security — and how the firm allegedly “failed to secure consumers’ sensitive personal data and covered up a major breach.” On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC’s complaint (.PDF), issued against the platform’s former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of “reasonable security measures” to prevent data breaches.   In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information (PII) including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities.  “As a result of its shoddy security practices, CafePress’ network was breached multiple times,” the FTC says.  CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users.  This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers.  The datasets, some of which were then sold online, were added to Troy Hunt’s HaveiBeenPwned search engine in August 2019.  According to the FTC, CafePress was notified a month after the breach and did patch the security flaw — but did not investigate the breach properly “for several months.”  Customers were also not told. Instead, CafePress implemented a forced password reset as part of its “policy” and only informed users in September 2019, once the data breach had been publicly reported.  In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed — and the shopkeepers, the victims, were then charged $25 account closure fees.  The FTC also claims that the company “misled” users by using consumer email addresses for marketing, despite promises to the contrary.  While Residual Pumpkin will bear the cost of the order, PlanetArt is also required to notify consumers who were impacted by CafePress security incidents.  In addition, both companies will have to hire third-party experts to perform security audits and must redress any existing security issues — including replacing security questions with multi-factor authentication (MFA) processes, encrypting Social Security numbers, and tightening up their data storage and retention practices.  “CafePress employed careless security practices and concealed multiple breaches from consumers,” commented Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial-up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.” The agreement is subject to public comment before being made final.  Update 14.58 GMT: CafePress told ZDNet: “The data breach occurred well before PlanetArt bought the CafePress brand and happened under the technology leadership of the brand’s prior owner. PlanetArt was happy to agree to the FTC’s request that PlanetArt also become obligated to the FTC’s settlement with the prior owner, as it comports with the priority PlanetArt has always placed on cybersecurity specifically and, more generally, on consumer protection.”Clarification 10.32amGMT: ZDNet has corrected the penalty amount to $500,000. ZDNet regrets the error. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Google
Google has announced it will be expanding age verification checks to users in Australia who want to access age-restricted content on YouTube and Google Play.In the coming month, the search giant will introduce age verification checks where users are asked to provide additional proof-of-age when attempting to watch mature content on YouTube or downloading content on Google Play. The move is to provide users with “age appropriate experiences,” Google government affairs and public policy senior manager Samantha Yorke explained in a blog post. “As part of this process some Australian users may be asked to provide additional proof of age when attempting to watch mature content on YouTube or downloading content on Google Play.”If our systems are unable to establish that a viewer is above the age of 18, we will request that they provide a valid ID or credit card to verify their age.”Google considers a valid ID as one issued by government, such as a driver’s licence or passport. The company assured if a user uploads a copy of their ID, it would be “securely stored, won’t be made public, and would be deleted” once a person’s date of birth is verified. It noted, however, that it will not only use a person’s ID to confirm their age but also to “improve our verification services for Google products and protect against fraud and abuse”. Google said the move is in response to the Australian government’s Online Safety (Restricted Access Systems) Declaration 2022, which requires platforms to take steps to confirm users are over the age of 18 before they can access content that could potentially be inappropriate for under-18 viewers. The declaration was introduced under the Online Safety Act. See also: eSafety thinks identity verification for social media would be impracticalSimilar age verification steps have already been implemented in the European Union under the Audiovisual Media Services Directive (AVMSD). To ensure the experience is consistent, viewers who attempt to access age-restricted YouTube videos on “most” third-party websites will be redirected to YouTube to sign-in and verify their age to view it. “It helps ensure that, no matter where a video is discovered, it will only be viewable by the appropriate audience,” Yorke said.Meanwhile, Meta is rolling out parental supervision tools on Quest and Instagram, claiming it will allow parents and guardians to be “more involved in their teens’ experiences”. The supervision tool for Instagram will allow parents and guardians to view how much time their teens spend on the platform and set time limits; be notified when their teens shares they’ve reported someone; and view and receive updates on what accounts their teen follow and the accounts that follow their teen. There are also plans to add additional features, including letting parents set the hours during which their teens can use Instagram and the ability for more than one parent to supervise a teen’s account.The supervision tool on Instagram is currently available only in the US, but Meta says there are plans for a global rollout in the “coming months”. Teens will need to initiate Instagram parental supervision for now in the app on mobile devices, Meta said, but it explained parents would have the option to initiate supervision in the app on the desktop by June.”Teens will need to approve parental supervision if their parent or guardian requests it,” Meta said. As for the VR parental supervision tools being introduced to Quest, it will be rolled out over the coming months, starting with the expansion of the existing unlock pattern on Quest headsets to allow parents to use it block their teen from accessing experiences they deem as inappropriate. In May, Meta will automatically block teens from downloading IARC rated age-inappropriate apps, as well launch a parent dashboard, hosting a suite of supervision tools that will link to the teen’s account based on consent from both sides.Additionally, Meta has established what it is calling the Family Center to provide parents and guardians access to supervision tools and resources, including the ability to oversee their teens’ accounts within Meta technologies, set up and use supervision tools, and access resources on how to communicate with their teens about internet use.”Our vision for Family Center is to eventually allow parents and guardians to help their teens manage experiences across Meta technologies, all from one central place,” the company said. The moves from both tech giants follow the parliamentary committee responsible for conducting Australia’s social media probe releasing its findings earlier this week.In its findings, it believes online harms would be reduced if the federal government legislates requirements for social media companies to set the default privacy settings for accounts owned by children to the highest levels and all digital devices sold in Australia to contain optional parental control functionalities.  Related Coverage More

New South Wales Residents Head To Polls In State Election
Image: Brook Mitchell/Getty Images
The NSW Electoral Commission (NSWEC) has confirmed it will scrap using the iVote system for next year’s state election as there is a lack of confidence it will be ready in time. The decision comes after an unknown number of voters were unable to cast a vote during local elections at the end of last year due to the iVote online voting system suffering a failure for a portion of the voting period. An NSWEC investigation into the local election bungle found the system failure impacted the outcomes of three local elections. The NSWEC had already shelved the iVote system for “extensive reconfiguration and testing” to resolve the issues encountered during local elections, but the latest move indicates the system will not be used until at least March 25 next year. “The current version of the iVote software used by the Electoral Commission will be phased out and the short runway for configuring and testing a new version before March 2023 means the Electoral Commissioner cannot be confident an updated system adapted for elections in NSW will be ready in time,” the NSWEC said in a statement. The decision to scrap using the iVote system until next year at the earliest also means it will not be used for any intervening by-elections in the lead up to the state election. For core users of the iVote system, people with disability and those who are based overseas or in remote areas, the NSWEC said it would explore other ways to support their participation in future elections. In particular, the electoral commissioner will be recommending to the NSW Government for ordinary telephone voting to still be made available for blind and low vision electors.During the system failure’s aftermath, Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, criticised the flaws within the iVote system. “Every serious investigation of iVote found serious problems,” Teague tweeted in December in light of the iVote failure. Teague’s comments at the end of last year were not her first in warning about the iVote system’s flaws. Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC had previously downplayed.  At the federal level, Australia’s electoral commissioner launched a new disinformation register last week to debunk misleading and deceptive information regarding how elections are run to protect the integrity of the country’s upcoming federal election. The Australian Electoral Commission said its main focus for the upcoming federal election would be handling the recent uptick of election conspiracy theories circulating online. Social media companies, meanwhile, have given assurances that they will allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election. On Tuesday, Meta unveiled its plan for handling election misinformation, which it labelled as its most comprehensive package ever in Australia. Related Coverage More

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published updated guidance about how to harden Kubernetes for managing container applications. Kubernetes is an open-source system that automates deployment, scaling, and management of applications run in containers.The updated guidance refreshes the two agencies’ first Cybersecurity Technical Report regarding Kubernetes hardening guidance from August 2021. CISA says the update contains additional details and explanations based on feedback from industry, including more detailed info on logging and threat detection in addition to other clarifications. Some of the updates are subtle but important for those who protect Kubernetes clusters. NSA and CISA do not list what the changes are in the updated guidance, but the initial recommendations weren’t met with universal approval. For example NCC Group noted that advice about Kubernetes authentication was “largely incorrect when it states that Kubernetes does not provide an authentication method by default”, whereas most customer implementations NCCGroup had reviewed “support both token and certification authentication, both of which are supported natively.” NCCGroup advised against both for production loads because Kubernetes does not support certificate revocation, which can be a problem if an attacker has gained access to a certificate issued to privileged accounts. The updated guidance now says that “several user authentication mechanisms are supported but not enabled by default.”Otherwise, key points of the original document appear to be unchanged. It looks at hardening within the context of typical Kubernetes cluster designs that include the control plane, worker nodes (for running containerized apps for the cluster), and pods for containers that are hosted upon these nodes. These clusters are often hosted in the cloud and often across multiple clouds in AWS, Azure, Google and elsewhere.   The agencies maintain that Kubernetes is commonly targeted for data theft, computational power theft, or denial of service. Historically, flaws in Kubernetes and various dependencies as well as misconfigurations have been used to deploy cryptominers on victim’s infrastructure.    It also maintains that Kubernetes is exposed to significant supply chain risks because clusters often have software and hardware dependences built by third-party developers. For example, security analysts last year warned of attacks against Kubernetes clusters via misconfigured Argo Workflows container workflow engine for K8s clusters.  Besides supply chain risks, other key actors in the agencies’ threat model include malicious outsiders and insider threats. These help define its hardening recommendations.For example, there is a common cloud case where workloads that aren’t managed by a given Kubernetes cluster share the same physical network. In that instance, a workload may have access to the kubelet and to control plane components, such as the API server. So, the agencies recommend network level isolation.   The agencies provide advice on how to ensure strict workload isolation between pods running on in same node in a cluster, given that Kubernetes doesn’t by default guarantee this separation.  Announcing the updated guidance, the NSA says: “Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.”The agencies also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are account for and security patches are applied. But patching is not easy in the context of Kubernetes. CISA regularly publishes alerts about new Kubernetes related vulnerabilities. In February for example it warned of a critical (severity score 8.8 out of 10) privilege escalation flaw, CVE-2022-23652, which affected the capsule-proxy reverse proxy for Capsule Operator. But as NCCGroup points out: “patching everything is hard”, partly because of the pressure to avoid downtime but also because relevant vulnerabilities span Kubernetes, Containerd, runc, the Linux kernel and more.”This is something that Kubernetes can help with, as the whole concept of orchestration is intended to keep services running even as nodes go on and offline. Despite this, we still regularly see customers running nodes that haven’t had patches applied in several months, or even years. (As a tip, server uptime isn’t a badge of honour as much as it used to be; it’s more likely indicative that you’re running an outdated kernel),” NCCGroup noted.  More