Exposing the Kubelet API in Kubernetes clusters can enable anonymous, unauthenticated access that attackers can abuse to steal secrets and take control of clusters. The article documents real-world campaigns targeting the Kubelet API, emphasizing the need for strong access controls and monitoring to defend against such exposures. #KubeletAPI #TeamTNT
Keypoints
- The Kubelet API is a critical component in Kubernetes clusters that manages pods and containers on each node.
- Exposing the Kubelet API to the public internet and enabling anonymous unauthenticated requests can lead to unauthorized access and potential data breaches.
- Real-world attacks have been observed targeting the Kubelet API to steal secrets and gain full control over clusters.
- Attack campaigns employ environment discovery, network scanning, and firewall rule manipulation to facilitate persistence, exfiltration, and lateral movement.
- Threat groups like the F Gang Campaign and TeamTNT have documented techniques that download and execute payloads (including cryptominer payloads) via the Kubelet API.
- Shodan-based observations show hundreds of thousands of exposed Kubelet APIs, with a subset being exploitable or serving as honeypots, underscoring the ongoing risk.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Misconfigured Kubelet API exposed to internet enabling anonymous and unauthenticated access. βMisconfigured Kubelet API (Initial Access): This is a new suggestion, that doesnβt appear in the Microsoft matrix. It appears to be missing as attackers actively exploit misconfigured kubelet APIs that are connected to the internet.β
- [T1059.004] Unix Shell β Usage of shell commands for environment discovery and execution. βThe first command is a shell completion code for the specified shell (bash, zsh, fish, or powershell). The rest are basic Linux commands used to discover the environment, list directory, username of current user, list the groups of the current user and list the running processes.β
- [T1016] System Network Configuration Discovery β Commands to inspect network interfaces and IP addresses. βip a: Displays all network interfaces and IP addresses.β
- [T1046] Network Service Scanning β Network discovery with tooling. βThe threat actor is installing curl and zmap to allow downloading tools and scanning the network of the K8s cluster. Next, deleting the zmap blocklist.β
- [T1057] Process Discovery β Discovery of running processes. βlist the running processes.β
- [T1105] Ingress Tool Transfer β Download and execution of a malicious script. βdownloads and executes a malicious script (f593).β
- [T1021] Remote Services β Lateral movement across cloud provider accounts. βmove laterally across the cloud provider account.β
- [T1552.001] Credentials in Files β Token theft from containers (ServiceAccount tokens). βThe most common attempt is to iterate over the running containers and extract the ServiceAccount token.β
Indicators of Compromise
- [IPv4 Address/Range] 172.20.0.1/16 β Targeted internal Kubernetes range for pod/service IPs during internal mapping campaigns
- [File] f593 β Main payload downloaded via the Kubelet API
- [File] f401, f402 β Additional payloads/scripts associated with the campaign (cryptominer)
- [File Hash] MD5: 86f2790c04ccd113a564cc074efbcdfd β MD5 hash of cron binary used as a cryptominer
- [Port] 10250 β Default Kubelet API port referenced in network configuration discussions
- [Credential] ServiceAccount tokens β Tokens discovered in running pods (example: tokens found in multiple nodes)
Read more: https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api