Staying ahead of threats, especially those from within, is critical. However, this can be extremely difficult for teams using traditional or even "next-gen" security tools. Lacework FortiCNAPP is unique in this capability. Its machine-learning (ML) technology recently demonstrated its ability to protect cloud environments against a bleeding-edge sophisticated threat. This blog post explores the detection of a developer-installed backdoor in a Databricks environment, highlights the risk of insider threats, and explores the concept and implications of backdoors in cloud computing. 

Understanding the Threat: What Are Backdoors?

In cybersecurity, a backdoor refers to a method by which authorized and unauthorized users can bypass normal authentication and security mechanisms to gain high-level user access to a computer system, network, or software application. Backdoors can be created for legitimate purposes, such as the provisioning of remote access to IT support for troubleshooting. However, attackers can also leverage them to gain continued access to a target environment stealthily. These backdoors can be particularly alarming in a cloud computing context, where they might allow attackers to access vast amounts of data or gain control over scalable cloud-based resources.

Examples of Backdoors in Cloud Providers

Backdoors in cloud environments come in various forms, including:

Embedded code in cloud applications: Malicious code inserted into cloud-based applications can provide backdoor access at the application level.

Compromised virtual machines (VM), containers, or hosts: Attackers might install backdoor software on a VM to maintain continuous remote access, often for data theft or other malicious activities. This scenario unfolded in the situation covered in this blog.

The Lacework FortiCNAPP Anomaly Detection Win

This incident involved a developer-a hired contractor and not a malicious hacker-who created a backdoor in a Databricks environment deployed into a customer's cloud. Why and how did this happen? While his experience was primarily on *nix systems, he was tasked with working with Windows systems. To navigate around his lack of experience, he leveraged a Linux box to create a backdoor to perform his work.

While this doesn't necessarily constitute a threat because of the lack of malicious intent, it illustrates how easy it is to open up potential vectors in the attack surface. And thanks to the sophisticated anomaly detections and composite alerts built into Lacework FortiCNAPP, this activity was swiftly identified and mitigated. 

Lacework FortiCNAPP composite alerts are indispensable to incident responders because they streamline their alert investigation process and effectively correlate multiple weak signals to identify and address complex security threats. 

Rather than starting from a list of known good or bad behaviors that security teams must constantly maintain against an ever-changing environment, Lacework FortiCNAPP continuously ingests vast amounts of data to establish an organization's baseline behavior. It can then determine what is new or different in your environment before enriching it with a security context. Composite alerts can identify anomalous behavior early, enabling organizations to find and react to issues before launching a full-scale incident response. The ability to catch an attack in its earliest stages, detecting each anomaly with only the slightest hint of a signal, is a highly differentiated approach that makes Lacework FortiCNAPP unique from other solutions claiming to have threat detection.

The consolidated composite alert was instrumental in detecting and correlating five alerts. By combining multiple individual alerts into a broader context, the security team quickly identified the security risk and removed the backdoor.

Let's look at the timeline of events that took place automatically in Lacework FortiCNAPP in the span of an hour: 

Part 1: The Anomalies Emerge

At about 3 p.m. ET, Lacework FortiCNAPP detected something unusual. An alert popped up and flagged the execution of a new application, zsh, on a critical host. Initially, that alert sparked curiosity but not alarm because new shell executions often fall into a gray area. However, this indicated that someone or something might be exploring unconventional tools or methods on the host system. While the context into the depth of the alert was subtle, this initial alert contained enough security relevance for Lacework FortiCNAPP to automatically start an investigation into what could result in an eventual composite alert.

Part 2: The Growing Evidence

Within minutes, Lacework FortiCNAPP began connecting the dots between additional anomalies. When another alert, this time for gs-netcat, an application known for its ability to establish a secure TCP connection behind a NAT/firewall, was triggered, Lacework FortiCNAPP automatically added it to its collection of evidence. This alert also triggered an early warning for the security team. Though not inherently malicious, gs-netcat can be used for reverse shells or remote command execution. This second alert, on the same host, intensified scrutiny.

Additional alerts continued to paint a clearer picture of a potential security incident. Lacework FortiCNAPP next detected that application gs-netcat, running on the host with root privileges, had made an outbound connection to an external IP address on TCP port 80. This was the first time an outbound connection was made to this external IP address from this environment, and it triggered an "Outbound connection to a new external IP address from application" alert. Interestingly, according to VirusTotal, this new IP address did not appear to be malicious. Normally, an outbound connection from an application, such as gs-netcat, running with root privileges to an unknown IP address would merit further manual investigation. With Lacework FortiCNAPP, however, these steps are carried out automatically.  

Lacework FortiCNAPP then detected that the application gs-netcat running on the host made an outbound connection on port 7350 to an IP address resolving at l[.]gs[.]thc[.]org, another suspicious connection to a new domain. (Fun fact: The Hacker's Choice website, thc.org, associated with the subdomain l.gs.thc.org, is a benign, known resource for security researchers.)

Adding to the growing pile of evidence, Lacework FortiCNAPP also detected the gs-netcat binary with hash 362b700c68ff2dc5c4188d32096b9c3d0f61073b9758cf25ab068b095460b9f9 and identified it as a suspicious file by correlating threat intelligence data.

With this hash in hand, Lacework FortiCNAPP had the critical mass of correlated, security-focused detections needed to trigger the next step.

Part 3: The Final Composite Alert

Less than an hour after the initial alert, which was fired as an early warning signal, Lacework FortiCNAPP fired a final, consolidated alert: a potentially compromised host composite alert notifying the security team that a host machine might be compromised.

By automating the detection and correlation of these anomalies, Lacework FortiCNAPP alleviated the burden on security analysts who otherwise would have been bogged down in low-severity signals. This automation enables analysts to focus on higher-value tasks by swiftly and efficiently addressing critical security events. Without Lacework FortiCNAPP, an analyst would have needed to manually connect the dots, risking the possibility of overlooking this backdoor installation. 

The Importance of Addressing Insider Threats

Insider threats represent one of the most elusive yet potentially damaging risks to cloud environments. Unlike external attacks, insiders already have some authorized access that can be exploited to facilitate malicious activities or unintentional harm. This use case also underscores the need for robust internal controls, continuous monitoring, and the deployment of advanced security systems, like those provided by Lacework FortiCNAPP, to detect and respond to such threats promptly.

ML-Trained Threat Detection Is Essential

The ability of Lacework FortiCNAPP to detect and respond to intricate security challenges-from cloud environments to application code and system events-is a testament to its leading-edge technology and strategic approach to cloud security. Utilizing advanced ML and composite alerts, Lacework FortiCNAPP addresses the evolving landscape of cloud threats and fortifies organizations against future vulnerabilities, including internal risks.

Organizations that leverage cloud technology must recognize the critical nature of insider threats and the potential for backdoors. And they must equip their security teams with the tools and strategies to protect their digital assets comprehensively. While this organization was lucky that this backdoor was installed without malicious intent, this scenario also raises a potential policy issue that needs to be addressed.

Most importantly, this story showcases the effectiveness of Lacework FortiCNAPP patented advanced threat detection and serves as a crucial reminder of the ongoing vigilance required to secure cloud environments against today's increasingly sophisticated threats.

Explore the full potential of Lacework FortiCNAPP and discover how it can transform your cloud security strategy.

Note: This blog was originally published on Lacework.com. References to Lacework's CNAPP solution were updated in the blog to "Lacework FortiCNAPP" following Fortinet's acquisition of Lacework in August 2024.