First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attacker gained initial access via a misconfigured API server that allowed unauthenticated requests from anonymous users with privileges. “The initial access was gained via a misconfigured API server that allowed unauthenticated requests from anonymous users with privileges.”
• [T1036] Masquerading – The attacker blended with logs and persistence mechanisms to evade detection, “persist under the radar without setting off any alarms.”
• [T1543] Create or Modify System Process – The attacker created a near-admin ClusterRole, a kube-system ServiceAccount named kube-controller, and a ClusterRoleBinding to establish lasting persistence. “created a ClusterRoleBinding, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”
• [T1105] Ingress Tool Transfer – The DaemonSet used a container image hosted on Docker Hub, demonstrating external tool acquisition. “The DaemonSet creation request object contained the container image ‘kuberntesio/kube-controller:1.0.1’, hosted on the public registry Docker Hub.”
• [T1078.003] Valid Accounts: Cloud Accounts – AWS keys were exposed and used to attempt access to the cloud provider account. “we exposed AWS access keys in various locations on the cluster… the access keys were used by the attacker to try and gain further access to the target’s cloud service provider account.”
• [T1583] Acquire Infrastructure – Typosquatting on container images to impersonate legitimate components and host on Docker Hub. “The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account.”
• [T1496] Resource Hijacking – DaemonSet deployed across nodes to hijack cluster resources for cryptomining. “The impact on the cluster was resource hijacking.”
• [T1083] – File and Directory Discovery (Discovery of cluster state) – The attacker listed secrets and queried cluster information. “The attacker sent a few HTTP requests to list secrets and then made two API requests to gain information about the cluster by listing the entities in the ‘kube-system’ namespace.”