CP
cyberpings
Threat IntelHIGH

Kubernetes Controllers - The Perfect Backdoor for Attackers

Featured image for Kubernetes Controllers - The Perfect Backdoor for Attackers
CSCSO Online
KubernetesSiloscapeTeamTNTMutatingWebhookConfigurationscloud security
🎯

Basically, attackers can use Kubernetes controllers to create hidden backdoors in cloud systems.

Quick Summary

Kubernetes controllers are being exploited as backdoors, allowing attackers persistent access to cloud environments. This poses a significant risk to cloud security. Understanding this threat is crucial for effective defense.

What Happened

In the evolving landscape of cloud security, Kubernetes controllers have emerged as a significant vulnerability. Attackers are no longer limited to basic exploits; they are now leveraging the Kubernetes Controller Pattern to create persistent backdoors. By compromising or registering rogue controllers, adversaries can manipulate the cluster's automation, leading to self-healing backdoors that are challenging to detect. This shift in tactics highlights a critical blind spot in cloud-native security strategies.

Who's Behind It

Sophisticated threat actors, such as those behind the Siloscape malware campaign and TeamTNT group, have demonstrated the effectiveness of this approach. Siloscape targeted Windows containers and escaped to the underlying node, utilizing node credentials to spread through the API server. Similarly, TeamTNT exploited the kubelet API for persistence. These documented campaigns illustrate how attackers can weaponize the control plane, turning Kubernetes against its legitimate users.

Tactics & Techniques

Attackers can gain limited access to the cluster's API server through compromised CI/CD pipeline credentials or leaked kubeconfig files. With just enough permissions, they can register a MutatingAdmissionWebhook, which intercepts legitimate pod creation requests. This webhook modifies the pod specifications to inject a malicious sidecar container, effectively creating a backdoor. The hidden sidecar is often disguised and can survive pod deletions due to the self-healing nature of Kubernetes. This technique aligns with the Persistence (TA0003) tactic in the MITRE ATT&CK framework for containers, emphasizing its resilience compared to traditional methods.

Defensive Measures

To combat this emerging threat, organizations must enhance their security practices. Key actions include auditing MutatingWebhookConfigurations to identify any unauthorized webhooks, monitoring RoleBinding changes for elevated permissions, and checking for anomalous OwnerReferences in Kubernetes objects. Additionally, restricting webhook registration to only trusted administrators and implementing network policies for the control plane can significantly reduce the risk of such attacks. Signing container images with trusted keys can further ensure that only legitimate components are deployed within the cluster. By treating the API server as a critical component that requires scrutiny, organizations can better protect their Kubernetes environments from these sophisticated threats.

🔒 Pro insight: The rise of controller-based attacks necessitates a reevaluation of Kubernetes security measures, especially concerning webhook configurations and API access controls.

Original article from

CSCSO Online
Read Full Article

Share

Related Pings

HIGHThreat Intel

TeamPCP Supply Chain Attack - Databricks Compromised

Databricks is investigating a potential breach linked to the TeamPCP supply chain attack. This incident raises serious security concerns for affected organizations. Immediate actions are necessary to mitigate risks and protect sensitive data.

Cyber Security News·
HIGHThreat Intel

Telnyx Targeted - TeamPCP Supply Chain Attack Grows

The Telnyx SDK has been compromised in a supply chain attack by TeamPCP, affecting users across multiple platforms. Immediate action is needed to secure systems and credentials. This attack highlights the risks associated with open-source software dependencies.

SecurityWeek·
HIGHThreat Intel

FBI Confirms Kash Patel Email Hack - $10M Reward Offered

Iranian hackers accessed FBI Director Kash Patel's personal email, raising security concerns. The FBI confirmed no recent government data was compromised. A $10M reward is offered for information on these hackers.

SecurityWeek·
HIGHThreat Intel

TA446 - Russia-linked Group Targets iPhone Users with Phishing

A new phishing wave from Russia-linked TA446 is targeting iPhone users using the DarkSword exploit kit. This development raises serious security concerns for many organizations and individuals. Stay alert to protect your data from these sophisticated attacks.

Security Affairs·
HIGHThreat Intel

China-Linked Clusters Target Southeast Asian Government

Three China-linked threat clusters targeted a Southeast Asian government in a complex cyber campaign. This coordinated attack involved multiple malware families, raising concerns over data security. Organizations must enhance their defenses against such sophisticated threats.

The Hacker News·
HIGHThreat Intel

TSUBAME Report Overflow - Monitoring Malware Trends Revealed

The TSUBAME Report highlights suspicious network activity from NVR products in Japan. This raises concerns about potential malware infections. Users are urged to enhance their network security measures to mitigate risks.

JPCERT/CC·