Tag Archives: opensources
Cut Through Alert Noise and Fix Toxic Combinations First
Not every security alert is a threat, but the right combination can bring down your cloud native and containerized applications.
Security incidents rarely happen because of a single weak point. Instead, they stem from toxic combinations. A misconfigured workload might seem harmless on its own, but add exposed credentials and an unpatched vulnerability, and attackers have a direct path to exploitation.
Not every security alert is a threat, but the right combination can bring down your cloud native and containerized applications.
Security incidents rarely happen because of a single weak point. Instead, they stem from toxic combinations. A misconfigured workload might seem harmless on its own, but add exposed credentials and an unpatched vulnerability, and attackers have a direct path to exploitation.Read More
IngressNightmare Vulnerabilities: All You Need to Know
On March 24, 2025, a series of several critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) were disclosed in the ingress-nginx Controller for Kubernetes, collectively termed IngressNightmare. These vulnerabilities could lead to a complete cluster takeover by allowing attackers unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster.
On March 24, 2025, a series of several critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) were disclosed in the ingress-nginx Controller for Kubernetes, collectively termed IngressNightmare. These vulnerabilities could lead to a complete cluster takeover by allowing attackers unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster.Read More
How the Google-Wiz acquisition redefines cloud security
Google’s acquisition of Wiz, announced last week, is a pivotal moment as it marks a strategic shift in how cyber security will evolve over the next few years. It instantly turns Google into a major player in security, adding Wiz to other building blocks Google has racked up in the past couple of years, most notably Mandiant and Google Chronicle.
Google’s acquisition of Wiz, announced last week, is a pivotal moment as it marks a strategic shift in how cyber security will evolve over the next few years. It instantly turns Google into a major player in security, adding Wiz to other building blocks Google has racked up in the past couple of years, most notably Mandiant and Google Chronicle.Read More
Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised
On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers to expose CI/CD secrets via the action’s build logs. The issue affects users who rely on the tj-actions/changed-files action in GitHub workflows to track changed files within a pull request.
Due to the compromised action, sensitive CI/CD secrets are being inadvertently logged in the GitHub Actions build logs. If these logs are publicly accessible, such as in public repositories, unauthorized users could access and retrieve the clear text secrets. However, there is no evidence suggesting that the exposed secrets were transmitted to any external network.
On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers to expose CI/CD secrets via the action’s build logs. The issue affects users who rely on the tj-actions/changed-files action in GitHub workflows to track changed files within a pull request.
Due to the compromised action, sensitive CI/CD secrets are being inadvertently logged in the GitHub Actions build logs. If these logs are publicly accessible, such as in public repositories, unauthorized users could access and retrieve the clear text secrets. However, there is no evidence suggesting that the exposed secrets were transmitted to any external network.Read More
Stopping Sobolan Malware with Aqua Runtime Protection
Aqua Nautilus researchers have discovered a new attack campaign targeting interactive computing environments such as Jupyter Notebooks. The attack consists of multiple stages, beginning with the download of a compressed file from a remote server. Once executed, the attacker deploys several malicious tools to exploit the server and establish persistence. This campaign poses a significant risk to cloud-native environments, as it enables unauthorized access and long-term control over compromised systems.
Aqua Nautilus researchers have discovered a new attack campaign targeting interactive computing environments such as Jupyter Notebooks. The attack consists of multiple stages, beginning with the download of a compressed file from a remote server. Once executed, the attacker deploys several malicious tools to exploit the server and establish persistence. This campaign poses a significant risk to cloud-native environments, as it enables unauthorized access and long-term control over compromised systems.Read More
Debunking Six Myths of Cloud Native Security
The promise of cloud native applications lies in their ability to provide enhanced agility, scalability, and resilience, perfectly aligning with the digital transformation needs of today’s enterprises. However, as we navigate this transformation, cloud native application security is often surrounded by myths and misconceptions. Understanding these myths and how they are being addressed is crucial for organizations to secure their environments effectively.
The promise of cloud native applications lies in their ability to provide enhanced agility, scalability, and resilience, perfectly aligning with the digital transformation needs of today’s enterprises. However, as we navigate this transformation, cloud native application security is often surrounded by myths and misconceptions. Understanding these myths and how they are being addressed is crucial for organizations to secure their environments effectively.Read More
Top Cloud Native Threats and Vulnerabilities of 2024
The complexity of cloud environments means that there is a virtually infinite list of potential security risks and vulnerabilities that could arise within cloud infrastructure or workloads. That said, some cloud security threats are more prevalent than others – and knowing which risks and vulnerabilities are trending is key to knowing what to prioritize when managing the attack surface for your organization. To that end, this article details seven of the most prominent cloud threats and vulnerabilities that emerged in 2024, including several discovered by Aqua researchers.
The complexity of cloud environments means that there is a virtually infinite list of potential security risks and vulnerabilities that could arise within cloud infrastructure or workloads. That said, some cloud security threats are more prevalent than others – and knowing which risks and vulnerabilities are trending is key to knowing what to prioritize when managing the attack surface for your organization. To that end, this article details seven of the most prominent cloud threats and vulnerabilities that emerged in 2024, including several discovered by Aqua researchers.Read More
GigaOm Radar: Aqua Leads in Container Security
Securing containerized applications demands a multi-layered strategy that spans the entire lifecycle from development to production, a challenge Aqua has spent nearly a decade mastering. Aqua’s Container Security solution provides full lifecycle protection by identifying vulnerabilities early in the build phase, integrating acceptance gates in the CI/CD pipeline to minimize risks, and offering real-time runtime protection in production environments. With the Aqua Platform, organizations can secure container workloads across hybrid and multi-cloud environments, stop attacks as they happen, and maintain compliance, all without slowing development.
Securing containerized applications demands a multi-layered strategy that spans the entire lifecycle from development to production, a challenge Aqua has spent nearly a decade mastering. Aqua’s Container Security solution provides full lifecycle protection by identifying vulnerabilities early in the build phase, integrating acceptance gates in the CI/CD pipeline to minimize risks, and offering real-time runtime protection in production environments. With the Aqua Platform, organizations can secure container workloads across hybrid and multi-cloud environments, stop attacks as they happen, and maintain compliance, all without slowing development.Read More
Malware Forensic Analysis: Capturing What Attackers Leave Behind
Every attack leaves a trail, but in containerized environments, this trail can evaporate before you even realize you have been attacked. These environments bring new challenges for security teams, including an expanding attack surface. Containers, while incredibly powerful, are short-lived, and attackers exploit this by moving quickly and covering their tracks. They often download and execute malware, then silently modify, or delete the files to erase evidence of their actions, making it nearly impossible to trace the original attack. Security teams are often left scrambling to piece together what happened.
Every attack leaves a trail, but in containerized environments, this trail can evaporate before you even realize you have been attacked. These environments bring new challenges for security teams, including an expanding attack surface. Containers, while incredibly powerful, are short-lived, and attackers exploit this by moving quickly and covering their tracks. They often download and execute malware, then silently modify, or delete the files to erase evidence of their actions, making it nearly impossible to trace the original attack. Security teams are often left scrambling to piece together what happened.Read More
Securing Container Workloads on Azure Container Apps (ACA)
Azure Container Apps (ACA) is a serverless platform for scalable containerized applications, while abstracting the underlying infrastructure. Since it runs without providing access to its underlying operating system, it has inherent security benefits, but it also presents a challenge for security and compliance tools that were not purpose-built to support such an environment. Aqua is a certified security solution for ACA – read on to see how we do it.
Azure Container Apps (ACA) is a serverless platform for scalable containerized applications, while abstracting the underlying infrastructure. Since it runs without providing access to its underlying operating system, it has inherent security benefits, but it also presents a challenge for security and compliance tools that were not purpose-built to support such an environment. Aqua is a certified security solution for ACA – read on to see how we do it.Read More
OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines
Implementing Kubernetes securely can be a daunting task. Fortunately, there are tools in the K8s toolshed that provide out-of-the-box solutions using a single click. One such tools is OPA Gatekeeper. It is a great out-of-the-box security checkpoint to enforce security policies on Kubernetes. But are users using it correctly? Do they understand its limitations? Our new research says not necessarily!
Implementing Kubernetes securely can be a daunting task. Fortunately, there are tools in the K8s toolshed that provide out-of-the-box solutions using a single click. One such tools is OPA Gatekeeper. It is a great out-of-the-box security checkpoint to enforce security policies on Kubernetes. But are users using it correctly? Do they understand its limitations? Our new research says not necessarily!Read More
Cloud Security Trends: Predictions and Strategies for Resilience
In 2025, cloud native security is set to undergo transformative progress. As Chief Information Security Officer at Aqua, I’ve seen how rapidly evolving threats and operational demands are driving organizations to redefine their approach to security. The focus is no longer just on adapting to challenges—it’s about deeply embedding security into every facet of development pipelines, runtime environments, and cloud ecosystems.
In 2025, cloud native security is set to undergo transformative progress. As Chief Information Security Officer at Aqua, I’ve seen how rapidly evolving threats and operational demands are driving organizations to redefine their approach to security. The focus is no longer just on adapting to challenges—it’s about deeply embedding security into every facet of development pipelines, runtime environments, and cloud ecosystems. Read More
300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks
In this research, we uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys.
In this research, we uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys. Read More
From Theory to Practice: How to Make DevSecOps Work in Your Organization
Houston, we have a problem: implementing DevSecOps isn’t as straightforward as it seems.
DevSecOps has redefined security in modern software development, becoming the benchmark for organizational success. By embedding security into every phase of the development lifecycle, organizations can deploy faster and collaborate more efficiently while ensuring security at every step. Yet, despite its advantages, according to IDC’s 2024 DevSecOps and Software Supply Chain Security Survey, only 66% of application development teams use DevSecOps methodologies on average. If it were easy to implement, that number would be much closer to 100%. So, what’s holding teams back? Let’s explore the most common challenges—and how to address them.
Houston, we have a problem: implementing DevSecOps isn’t as straightforward as it seems.
DevSecOps has redefined security in modern software development, becoming the benchmark for organizational success. By embedding security into every phase of the development lifecycle, organizations can deploy faster and collaborate more efficiently while ensuring security at every step. Yet, despite its advantages, according to IDC’s 2024 DevSecOps and Software Supply Chain Security Survey, only 66% of application development teams use DevSecOps methodologies on average. If it were easy to implement, that number would be much closer to 100%. So, what’s holding teams back? Let’s explore the most common challenges—and how to address them. Read More
Matrix Unleashes A New Widespread DDoS Campaign
Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals.
Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals. Read More
Threat Actors Hijack Misconfigured Servers for Live Sports Streaming
To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new attack vector: threat actors using misconfigured servers to hijack environments for streaming sports events. By exploiting misconfigured JupyterLab and Jupyter Notebook applications, attackers drop live streaming capture tools and duplicate the broadcast on their illegal server, thus conducting stream ripping. In this blog, we explain how our threat hunting operation helped us uncover this and how we analyzed this attack using Aqua Tracee and Traceeshark.
To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new attack vector: threat actors using misconfigured servers to hijack environments for streaming sports events. By exploiting misconfigured JupyterLab and Jupyter Notebook applications, attackers drop live streaming capture tools and duplicate the broadcast on their illegal server, thus conducting stream ripping. In this blog, we explain how our threat hunting operation helped us uncover this and how we analyzed this attack using Aqua Tracee and Traceeshark. Read More
New Aqua User Experience: Streamlined Vulnerability Management
The new Aqua Hub update is designed to take the headache out of vulnerability management, addressing common challenges like alert overload and data consistency issues. With this update, teams get a clean, streamlined view of vulnerabilities that cuts through the noise, so they can focus on the critical issues without getting lost in irrelevant details.
The new Aqua Hub update is designed to take the headache out of vulnerability management, addressing common challenges like alert overload and data consistency issues. With this update, teams get a clean, streamlined view of vulnerabilities that cuts through the noise, so they can focus on the critical issues without getting lost in irrelevant details. Read More
Enhancing UK Cybersecurity and Resilience: Impact of the New National Bill
As the digital landscape rapidly evolves, the need for a robust, adaptive security strategy becomes increasingly critical. Cyber threats are becoming more sophisticated and widespread, necessitating a proactive approach to cybersecurity. The UK’s Cyber Security and Resilience Bill represents a significant stride towards fortifying the nation’s defenses against these threats.
As the digital landscape rapidly evolves, the need for a robust, adaptive security strategy becomes increasingly critical. Cyber threats are becoming more sophisticated and widespread, necessitating a proactive approach to cybersecurity. The UK’s Cyber Security and Resilience Bill represents a significant stride towards fortifying the nation’s defenses against these threats.Read More
5 Must-See Sessions at KubeCon North America
Who’s getting excited? Next week, the Cloud Native Computing Foundation’s flagship conference, KubeCon + CloudNativeCon, will kick off in Salt Lake City, Utah. In its ninth year, the conference has grown into more than just a technical conference—it’s a vibrant community event that offers attendees the tools, relationships, and inspiration to drive innovation in the cloud native ecosystem.
Who’s getting excited? Next week, the Cloud Native Computing Foundation’s flagship conference, KubeCon + CloudNativeCon, will kick off in Salt Lake City, Utah. In its ninth year, the conference has grown into more than just a technical conference—it’s a vibrant community event that offers attendees the tools, relationships, and inspiration to drive innovation in the cloud native ecosystem.Read More
Threat Alert: TeamTNT’s Docker Gatling Gun Campaign
Long time no see, Aqua Nautilus researchers have identified a new campaign in the making by TeamTNT, a notorious hacking group. In this campaign, TeamTNT appears to be returning to its roots while preparing for a large-scale attack on cloud native environments. The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware.
Long time no see, Aqua Nautilus researchers have identified a new campaign in the making by TeamTNT, a notorious hacking group. In this campaign, TeamTNT appears to be returning to its roots while preparing for a large-scale attack on cloud native environments. The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware. Read More
