Experiencing "Critical Fileless execution via memfd_create" security events from the "csi-node-driver-registrar" container

wgmax 25 Reputation points
2024-10-30T18:45:54.86+00:00

Hello community,

We've been running several AKS clusters for some time. Suddenly, the Falco (threat detection tool) pods started reporting suspicious activity every few seconds started from Oct, 30 2 AM UTC approx. The events look similar to the following

{ "hostname": "aks-...-vmss00000d", "output": "10:45:16.091195599: Critical Fileless execution via memfd_create (container_start_ts=<NA> proc_cwd=/run/containerd/io.containerd.runtime.v2.task/k8s.io/2a630c3fbe201846878a9550e2f0065b03e7c4e6a2355336d0e60f2624fb6455/rootfs/ evt_res=SUCCESS proc_sname=containerd gparent=containerd-shim evt_type=execve user=root user_uid=0 user_loginuid=-1 process=5 proc_exepath=memfd:runc_cloned:/proc/self/exe parent=runc command=5 init terminal=0 exe_flags=EXE_WRITABLE|EXE_FROM_MEMFD container_id=host container_image=<NA> container_image_tag=<NA> container_name=host k8s_ns=<NA> k8s_pod_name=<NA>)", "priority": "Critical", "rule": "Fileless execution via memfd_create", "source": "syscall", "tags": [ "T1620", "container", "host", "maturity_stable", "mitre_defense_evasion", "process" ], "time": "2024-10-30T10:45:16.091195599Z", "output_fields": { "container.id": "host", "container.image.repository": null, "container.image.tag": null, "container.name": "host", "container.start_ts": null, "evt.arg.flags": "EXE_WRITABLE|EXE_FROM_MEMFD", "evt.res": "SUCCESS", "evt.time": 1730285116091195599, "evt.type": "execve", "k8s.ns.name": null, "k8s.pod.name": null, "proc.aname[2]": "containerd-shim", "proc.cmdline": "5 init", "proc.cwd": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/2a630c3fbe201846878a9550e2f0065b03e7c4e6a2355336d0e60f2624fb6455/rootfs/", "proc.exepath": "memfd:runc_cloned:/proc/self/exe", "proc.name": "5", "proc.pname": "runc", "proc.sname": "containerd", "proc.tty": 0, "user.loginuid": -1, "user.name": "root", "user.uid": 0 } }

After checking the nodes for the mentioned containers, I found that it comes from the container csi-node-driver-registrar

sudo ctr -n k8s.io containers ls | grep 8a397e55ab7d9527a6ca87d512a165183a16b5c1035bc43ea83bb71e43d9a600 8a397e55ab7d9527a6ca87d512a165183a16b5c1035bc43ea83bb71e43d9a600 mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 io.containerd.runc.v2

Does anyone know of any recent changes that can make this happen, or should we treat it as a malware invasion?

I would appreciate any tips

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,146 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.