Objective: Exfiltrate data, disrupt performance, or gain unauthorized access via SkyWalking
[Attacker Goal: Exfiltrate data, disrupt performance, or gain unauthorized access via SkyWalking] / | / | {1. Compromise SkyWalking OAP Server} {2. Manipulate SkyWalking Agent} / | / / | / {1.1 Exploit} {1.2 Attack} {2.1 Inject} <> <> <> {in OAP} {Access} {Code}
Attack Tree Path: 1. Compromise SkyWalking OAP Server
-
Description: This is the primary high-risk area. The OAP server is the central aggregation and processing point for all monitoring data. Compromising it provides the attacker with the greatest control and access to sensitive information.
-
{1.1 Exploit Vulnerabilities in OAP}:
- Description: Attackers actively search for and exploit known or unknown (zero-day) vulnerabilities in the OAP server's code and its dependencies (e.g., gRPC, Elasticsearch, H2, MySQL). This is a direct path to compromise.
- <> (Critical Node): The existence of exploitable vulnerabilities (especially Remote Code Execution - RCE) is the critical enabling factor for this attack path. Without a vulnerability, this path is blocked.
- Attack Vectors:
- Remote Code Execution (RCE): Exploiting a vulnerability that allows the attacker to execute arbitrary code on the OAP server. This is the most severe type of vulnerability.
- SQL Injection: If the OAP server uses a vulnerable database backend, attackers could inject malicious SQL code to extract data, modify data, or even gain control of the database server.
- Deserialization Vulnerabilities: Exploiting vulnerabilities in how the OAP server handles deserialization of data from agents or other sources.
- Dependency Vulnerabilities: Exploiting vulnerabilities in third-party libraries used by the OAP server.
- Mitigation Focus: Patching, vulnerability scanning, input validation, minimizing attack surface, secure configuration of storage backend.
-
{1.2 Attack Network Access to OAP}:
- Description: If the OAP server is exposed to untrusted networks (including the public internet or insufficiently secured internal networks), attackers can directly attempt to access it.
- <> (Critical Node): The attacker's ability to reach the OAP server over the network is the critical enabling factor. Network segmentation and firewalls are key defenses.
- Attack Vectors:
- Brute-Force Attacks: Attempting to guess usernames and passwords for OAP server access.
- Credential Stuffing: Using lists of stolen credentials from other breaches to try to gain access.
- Exploiting Weak Authentication: If the OAP server uses weak or default credentials, attackers can easily gain access.
- Network-Level Exploits: Exploiting vulnerabilities in network protocols or services running on the OAP server (e.g., SSH, if exposed).
- Mitigation Focus: Strict network access control (firewalls, VPCs, VPNs), strong authentication (MFA, certificate-based authentication), network intrusion detection/prevention.
-
Attack Tree Path: 2. Manipulate SkyWalking Agent
- Description: While compromising the OAP is the most direct route, manipulating the agent provides a powerful foothold within the application itself.
* **{2.1 Inject Malicious Code}:**
* **Description:** This is the highest-impact attack against the agent. If an attacker can inject code into the agent, they can effectively control the application being monitored. This usually requires prior compromise of the application server.
* **<<Malicious Code>> (Critical Node):** Successful code injection is the *critical enabling factor*. This allows the attacker to execute arbitrary code within the application's context.
* **Attack Vectors:**
* **Modifying Agent Binaries:** Directly altering the agent's executable files on the compromised application server.
* **Leveraging Application Vulnerabilities:** Using vulnerabilities in the *application* itself to inject code that then affects the agent (e.g., if the agent loads configuration or plugins from an attacker-controlled location).
* **Supply Chain Attacks:** Compromising the agent's build process or distribution mechanism to inject malicious code before it's even deployed.
* **Mitigation Focus:** Secure the application server, code signing and integrity checks for agent binaries, monitor agent behavior, containerization with read-only file systems.