Full Report
The infection began with the exploitation of a vulnerable Jenkins server (CVE-2024-238976), which enabled lateral movement into AWS EKS clusters. The threat actor deployed a malicious Docker image (kvlnt/vv) containing a Rust-based downloader (vGet) that retrieved an encrypted...
Analysis Summary
# Incident Report: eBPF Rootkit Targeting AWS EKS Environment
## Executive Summary
This incident involved sophisticated threat actors exploiting a critical Jenkins vulnerability (CVE-2024-238976) for initial access, which subsequently facilitated lateral movement into AWS EKS clusters. The attackers deployed a multi-staged payload leveraging a malicious Docker image and a Rust downloader (vGet) to establish persistence via the advanced LinkPro rootkit, suggesting a financially motivated operation focused on long-term covert access.
## Incident Details
- Discovery Date: Not explicitly stated (Implied post-compromise analysis)
- Incident Date: Began with the initial Jenkins exploitation.
- Affected Organization: Undisclosed.
- Sector: Technology/Cloud Infrastructure (Targeting AWS EKS).
- Geography: Not explicitly stated.
## Timeline of Events
### Initial Access
- **Date/Time:** Initial exploitation phase.
- **Vector:** Exploitation of a vulnerable Jenkins server (CVE-2024-238976).
- **Details:** This exploitation provided the foothold necessary for the attack campaign.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Exploitation of initial access to pivot into AWS EKS clusters.
- **Details:** Threat actors deployed a malicious Docker image (`kvlnt/vv`) containing the Rust-based downloader, vGet, to retrieve the primary payload. They achieved persistence and system access via container escapes, enabled by host filesystem mounts and privilege escalation.
### Persistence and Impact
- **Date/Time:** Post-EKS compromise.
- **Vector:** Deployment of the LinkPro rootkit (written in Golang).
- **Details:** LinkPro installed four key ELF binaries, including two eBPF modules ("Hide" and "Knock") and the `libld.so` shared library. The rootkit established comprehensive remote access capabilities, including full remote shell, file operations, SOCKS5 proxy tunneling, and flexible C2 communications, demonstrating a strong intent for long-term access and data exfiltration.
### Detection & Response
- **Date/Time:** Not explicitly stated.
- **Vector:** (Implied) Analysis of endpoint activities or security tool alerts related to eBPF execution or unusual network traffic.
- **Details:** Response actions are not detailed in the context, but necessary eradication would involve cleaning compromised hosts and remediating the Jenkins vulnerability.
## Attack Methodology
| MITRE ATT&CK Phase | Observed Techniques Used |
| :--- | :--- |
| **Initial Access** | Vulnerability Exploitation (Jenkins CVE-2024-238976) |
| **Execution** | Malicious Docker Image deployment (`kvlnt/vv`), use of Rust downloader (vGet) |
| **Persistence** | LinkPro Rootkit installation, masquerading as `systemd-resolved`, creating fake unit files. |
| **Privilege Escalation** | Exploitation of container isolation via host filesystem mounts. |
| **Defense Evasion** | **eBPF Hooks:** Using `tracepoint` and `kretprobe` hooks on `getdents` and `sys_bpf` to hide files/processes. **Fallback:** `LD_PRELOAD` technique to hide artifacts in user space. |
| **Discovery** | N/A (Implied discovery within EKS context). |
| **Lateral Movement** | Leveraging initial cloud access to move from Jenkins into EKS clusters. |
| **Command and Control (C2)** | **eBPF Knock Module:** Monitors for TCP "magic packets" (SYN/54321) to activate C2 on hidden port 2233 (bypassing firewalls). **Fallback:** DNS Tunneling and HTTP C2. |
| **Collection/Impact** | Full remote shell access, file operations, SOCKS5 proxy tunneling. |
## Impact Assessment
- **Financial:** Likely significant due to the need for extensive forensics, remediation, and potential data loss; activity is described as financially motivated.
- **Data Breach:** Potential high impact due to access to EKS data and ability to tunnel traffic, suggesting possible data exfiltration capability.
- **Operational:** Significant operational disruption due to the deep level of system compromise via kernel-level rootkits (LinkPro).
- **Reputational:** Moderate to High, depending on the sensitivity of the exposed EKS resources.
## Indicators of Compromise
- **File Indicators:** LinkPro ELF binaries (eBPF modules "Hide" and "Knock"), shared library `/etc/libld.so`, fake systemd unit file `/etc/systemd/system/systemd-resolveld.service`, data directory structure `/usr/lib/.system/`.
- **Network Indicators:** Use of TCP SYN packets with Window Size 54321 for C2 activation; internal C2 listener on hidden port 2233.
- **Behavioral Indicators:** Unexpected kernel module loading, use of eBPF for process/file hiding, unusual `systemd-resolved` process behavior, remote connections to non-standard ports (2233).
## Response Actions
- **Containment:** Requires immediate isolation of compromised EKS nodes, temporary blocking of external C2 beaconing identified via network analysis, and immediate patching/quarantining of the vulnerable Jenkins server.
- **Eradication:** Comprehensive manual removal of the LinkPro rootkit, its associated files, and the malicious Docker images from all affected hosts. Rebuilding compromised containers/nodes from trusted sources.
- **Recovery:** Restoring full operational status after verifying all persistence mechanisms are removed. Implementation of mandatory credential rotations for cloud roles used by Jenkins/EKS.
## Lessons Learned
- **Patch Management Criticality:** Failure to patch known vulnerabilities (especially on critical entry points like Jenkins) leads to immediate, high-impact compromises.
- **Cloud Environment Hardening:** Container environments (EKS) require stringent security to prevent container escapes, even when host filesystem mounts are utilized.
- **Advanced Evasion:** The use of layered evasion techniques (eBPF for kernel-space hiding, LD\_PRELOAD for user-space hiding, and custom network signaling) demonstrates significant attacker sophistication requiring advanced endpoint detection capabilities.
## Recommendations
1. **Immediate Patching:** Apply patches for CVE-2024-238976 on all Jenkins installations immediately.
2. **Container Security:** Enforce strict Pod Security Standards (PSS) within EKS to prevent unsafe configurations like host path mounts and privileged containers.
3. **eBPF Monitoring:** Implement specialized tooling capable of monitoring and alerting on the dynamic loading and manipulation of eBPF programs, specifically hooks targeting tracepoints and kretprobes on core system calls.
4. **Network Segmentation:** Segment application environments (EKS) from initial access points (Jenkins) to limit the scope of successful lateral movement.
5. **System Integrity Checks:** Deploy File Integrity Monitoring (FIM) capable of detecting unauthorized installation of rootkit components such as shared libraries (`libld.so`) in common library paths.