Hijacked processes
A hijacked process incident indicates that an existing process has been used in ways that are inconsistent with its expected behavior.
This type of incident could be a sign that a process has been used to compromise a container.
Investigation
The following incident shows that java, which is an expected process in this Struts2 container, has launched a bash shell.
This is decidedly unexpected behavior.
You can also see that it wrote out a suspicious new file named .java.
The first step in an investigation is to determine if this is indeed malicious behavior.
Reviewing the audit logs under
Monitor > Events > Container Audits
shows a pattern of behavior that is troubling.
A number of commands are being executed by Java, including a copy of the sensitive /etc/passwd file.
The next step in the investigation is to determine how an attacker was able to hijack the process.
A likely culprit is a vulnerability in the code deployed to the container.
Reviewing the vulnerability scan report for the underlying image shows that it contains a package with a remote code execution vulnerability.
This vulnerability is remotely exploitable and exploit code is readily available.
Reviewing the application logs for this container, with docker logs <CONTAINER-NAME>, shows errors consistent with the exploitation of CVE-2017-5638.
Mitigation
The first step in mitigating the issue is fixing the root cause and redeploying the image.
Prisma Cloud’s layer view of vulnerabilities shows developers where the vulnerability was introduced.
For this image, you can see that CVE-2017-5638 is present in a .war file downloaded at the end of the Dockerfile.
Additionally, enabling prevention of runtime process events would provide future defense-in-depth.
