IngressNightmare: Hunting Security Exposures with ExposureGraphNodes and Security Explorer

By /

Listen to this Post

To investigate #IngressNightmare, Microsoft’s Security Exposure Management and Defender for Cloud provide powerful tools:

βœ… ExposureGraphNodes (Advanced Hunting)

βœ… Security Explorer (Defender for Cloud)

πŸ”— Reference: Microsoft Security Blog

You Should Know:

1. Using ExposureGraphNodes for Advanced Hunting

Run this KQL query in Microsoft Defender Advanced Hunting to detect exposed ingress controllers:

[kql]
ExposureGraphNodes
| where ExposureType == “KubernetesIngressExposure”
| where IsPublic == true
| project ClusterName, Namespace, IngressName, PublicIPs, ExposureDetails
[/kql]

### **2. Security Explorer in Defender for Cloud**

Navigate to Defender for Cloud β†’ Security Explorer and use filters:
ResourceType: Kubernetes
ExposureType: Ingress

### **3. Manual Verification via kubectl**

For clusters not fully integrated with CSPM, use:

kubectl get ingress --all-namespaces -o json | jq '.items[] | select(.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" == null) | .metadata.name'

### **4. PowerShell for Azure Kubernetes Checks**

az aks list --query "[].{Name:name,ResourceGroup:resourceGroup}" -o tsv | ForEach-Object {
$cluster, $rg = $_ -split "`t"
az aks get-credentials --name $cluster --resource-group $rg
kubectl get ingress -A | Where-Object { $_ -notmatch "whitelist" }
}

### **5. Linux Command for Network Exposure Check**

nmap -Pn -p 80,443,8080 $(kubectl get ingress -A -o json | jq -r '.items[].status.loadBalancer.ingress[].ip' | sort -u)

## **What Undercode Say:**

The #IngressNightmare scenario highlights misconfigured Kubernetes ingress controllers exposing critical services. Always:
– Restrict ingress with network policies (kubectl apply -f network-policy.yaml)
– Enable Defender for Containers (az aks enable-addons --addons azure-policy -g MyRG -n MyAKS)
– Use Azure Policy to enforce ingress restrictions (az policy assignment create --policy "/providers/Microsoft.Authorization/policyDefinitions/[...]")
– Monitor logs with Azure Sentinel KQL:

KubernetesInventory
| where Namespace contains "ingress"
| where isempty(Annotations.whitelist-source-range)

## **Expected Output:**

  • List of exposed ingress controllers
  • Remediation steps via Azure Policy or kubectl patches
  • Continuous monitoring via Defender for Cloud alerts

πŸ”— Further Reading: Kubernetes Hardening Guide

References:

Reported By: Markolauren Ingressnightmare – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Related Posts: