A wave of new attacks targeted Kubernetes in 2023: Dero and Monero crypto miners, Scarleteel and RBAC-Buster.
Finding an initial foothold with a web app vulnerability, then moving laterally is the hallmark of a Kubernetes attack.
Understanding the reality of these attacks can help protect your organization from current and future attacks targeting Kubernetes.
Here's a breakdown of how the attacks unfold and what you can do to protect against them - or at least minimize the damage once attacked.
To find open entry to the AWS cloud environment, the attackers also used an open-source Kubernetes penetration testing tool called Peirates, along with a similar tool called Pacu.
The attacker jumped from a web application hosted in Kubernetes straight to the cloud to Kubernetes and then back again.
Defenders do not have a similarly connected view of their environment, instead looking at cloud security, web app security and Kubernetes security separately, then struggling to put together the full motion and objectives of the attacker.
You can ensure that you protect against the very specific cloud misconfiguration the attackers took advantage of.
If you run EKS, look into places where you have IMDSv1 versus IMDSv2 installed and get a blue team to run Peirates and Paco against your environment before an attacker does.
Runtime capabilities would potentially detect the Pandora malware, but wouldn't connect this to the broader attack and activity happening across the cloud and Kubernetes environments, so it can't stop the entirety of the attack.
In the Dero attack, the bad actor first scanned for Kubernetes APIs where authentication is set to allow anyone anonymous access.
With access to the Kubernetes API, attackers deleted the Dero pods and deployed their own privileged pod via Daemonset.
Unlike Dero, the Monero attack involves privilege escalation and container escape techniques.
If exposed, your primary concern is tamping down the blast radius - as the attack occurs in real-time in Kubernetes, not in runtime.
The attacker attempts to gain a foothold in a Kubernetes environment by scanning for a misconfigured API server that would allow unauthenticated requests from users with privileges.
Attackers used privileged access to list secrets and discover the kube-system namespace.
The initial step in this attack assumes that not only is your Kubernetes API server open, but it's also accepting requests that privileged users have.
Check your API server configurations and audit your RBAC permissions to protect against this attack.
Attackers are searching for mistakes, misconfigurations and a way into your Kubernetes environment.
Most clusters were only accessible for a few hours, highlighting the ephemeral nature of Kubernetes clusters and how what today points to an exploitation and exposure might tomorrow be closed off to attackers.
This Cyber News was published on venturebeat.com. Publication date: Sun, 10 Dec 2023 19:43:05 +0000