Threat Research

Understanding Current Threats to Kubernetes Environments

Unit42
Understanding Current Threats to Kubernetes Environments

Kubernetes clusters are being actively targeted to steal service account tokens and pivot from compromised pods into cloud-hosted backend systems, with token-theft activity up 282% year-over-year and the IT sector representing over 78% of observed activity. Two representative cases—token theft enabling lateral movement in a cryptocurrency exchange by the Slow Pisces group and rapid exploitation of React2Shell (CVE-2025-55182) to execute commands inside workloads—illustrate how exposed identities and misconfigurations enable cluster-to-cloud compromise. #SlowPisces #React2Shell

Keypoints

  • Telemetry shows Kubernetes-related token-theft operations increased 282% over the prior year, with the IT sector comprising ~78% of alert volume.
  • Case 1: Threat actors (attributed to Slow Pisces) used a deployed malicious pod to harvest a high‑privileged service account token, enumerate secrets, and pivot from Kubernetes into cloud-hosted financial infrastructure to steal funds.
  • Case 2: React2Shell (CVE-2025-55182) exploitation enabled unauthenticated remote code execution in public-facing workloads, leading to credential and environment variable exfiltration and backdoor deployment.
  • Common attack pattern: exploit vulnerable/exposed application → achieve code execution in a pod → steal mounted service account tokens and cloud credentials → escalate privileges and pivot to cloud resources.
  • Threat actors commonly reuse post-exploitation frameworks and tooling (e.g., Peirates, TeamPCP, VoidLink) to automate identity discovery, token harvesting, and cloud abuse.
  • Defensive controls prioritized: strict RBAC and Pod Security Standards, short-lived projected service account tokens, comprehensive Kubernetes audit logging, and runtime workload telemetry with automated response.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used to gain initial code execution in exposed workloads (React2Shell). (‘Exploiting vulnerabilities such as React2Shell allows threat actors to bypass authentication and execute code directly inside an application container.’)
  • [T1528 ] Steal Application Access Token – Attackers read mounted service account tokens from pods to authenticate to the Kubernetes API and escalate access. (‘Stealing application access tokens is another technique favored by threat actors.’)
  • [T1552.001 ] Unsecured Credentials: Credentials In Files – Threat actors read credential files and exfiltrate them from container filesystems to harvest cloud credentials. (‘read the token from the pod’s filesystem and exfiltrates it to a remote command and control (C2) server.’)
  • [T1552.007 ] Unsecured Credentials: Container API – Actors enumerated Kubernetes secrets and queried the API from compromised pods to discover sensitive credentials. (‘enumerated cluster resources, harvested mounted service account tokens and queried the Kubernetes API to determine the scope of privileges granted via RBAC.’)
  • [T1613 ] Container and Resource Discovery – Post-exploitation enumeration of containers, namespaces and service accounts to map privileges and targets. (‘Enumerating the runtime environment’)
  • [T1609 ] Container Administration Command – Used to execute commands inside compromised pods and perform administrative actions across workloads. (‘execute commands inside Kubernetes workloads’)
  • [T1134 ] Access Token Manipulation – Abuse of kubelet or token-based credentials to execute commands and manipulate access from within pods. (‘Execution of command from within a Kubernetes pod using kubelet credentials’)
  • [T1610 ] Deploy Container – Deploying malicious pods or backdoors to maintain persistence and expand footholds in the cluster. (‘deploy additional malicious pods’)
  • [T1611 ] Escape to Host – Exploitation of container runtime vulnerabilities or hostPath mounts to gain node-level access. (‘exploit container runtime vulnerabilities to gain node-level access.’)
  • [T1078.001 ] Valid Accounts: Default Accounts – Anonymous or default account access to the API observed, indicating insecure or unauthenticated API access. (‘A Kubernetes API operation was successfully invoked by an anonymous user’)
  • [T1552.005 ] Unsecured Credentials: Cloud Instance Metadata API – Retrieval of cloud instance metadata and environment variables to obtain cloud credentials and pivot to cloud services. (‘collected cloud credentials that were exposed in environment variables and cloud metadata services’)
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Use of shell interpreters and piped scripts in pods to run downloaded payloads and backdoors. (‘Run downloaded script using pipe in a Kubernetes pod’)
  • [T1098.006 ] Account Manipulation: Additional Container Cluster Roles – Creation or deletion of cluster role bindings to escalate privileges or grant broader access. (‘A Kubernetes cluster role binding was created or deleted’)

Indicators of Compromise

  • [IP Address ] C2 and hosting infrastructure observed in incidents – 104.238.149[.]198, 45.76.155[.]14, and 23.235.188[.]3
  • [URL / Domain ] Payload and backdoor distribution endpoints used to download tools/backdoors – hxxp[:]//104.238.149[.]198:12349/BVN0VEdddye5odDFVR, hxxp[:]//45.76.155[.]14/vim
  • [File Hash ] Malware and tool binaries identified in telemetry – VoidLink binary 05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69; TeamPCP proxy.sh 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0 (and 1 more hash)
  • [File Name ] Scripts and masqueraded backdoors used in intrusions – proxy.sh, kube.py, and a backdoor masquerading as ‘vim’ used for persistence and credential harvesting.

Read more: https://unit42.paloaltonetworks.com/modern-kubernetes-threats/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint