Threat Research Blog

October 20, 2021

Understanding and Preventing Kubernetes Attacks and Threats

As the most widely adapted open-source container software, Kubernetes provides businesses with efficient processes to schedule, deploy, and scale containers across different machines. The bad news is that cybercriminals have figured out how to exploit the platform's vulnerabilities, resulting in catastrophic network intrusions across many company infrastructures. A recent report revealed that 94% of respondents reported security incidents in Kubernetes environments. The question is, what is behind this surge of Kubernetes attacks, and how can they be prevented?

How Kubernetes is Vulnerable

As a container-based platform, a new set of vulnerabilities, permission issues, and specific images set the stage for the increase in attacks. The threats have included fileless malware in containers, leveraging misconfigured Docker API ports, and using container images for attacks.

Misconfigured Docker API Ports Exploitation

Scanning for misconfigured Docker API ports and using them for deploying images containing malware is a relatively new type of attack. The malware, designed to evade static scanning, has become a popular method to hijack compute cycles for fraudulent cryptomining. This cryptojacking activity steals CPU power to mine currencies such as Ethereum and Monero.

By first identifying vulnerable front-end websites and other systems, attackers send a command through the application layer simply by manipulating a domain's text field or through an exposed API in the website's URL. The code then enters the container, where it is executed with commands sent to a Docker container's shell. A wget command is executed to download the malware.

To protect against this attack, enterprises must ensure their container files are not writable, establish CPU consumption limits, and enable alerts to detect interactive shell launches.

DDoS Attacks With Open Docker Daemons

Cybercriminals use misconfigured open Docker daemons to launch DDoS attacks using a botnet of containers. UDP flood and Slowloris were recently identified as two such types of container-based botnet attacks.  A recent blog describes an anatomy of these Kubernetes attacks.

The attackers first identified open Docker daemons using a scanning tool such as Shodan to scan the internet for IP addresses and find a list of hosts, open ports, and services. By uploading their own dedicated images to the Docker hub, they succeeded in deploying and remotely running the images on the host.

Analyzing how the UDP flood attack was orchestrated required an inspection of the binary with IDA. This revealed the start_flood and start_tick threads.  The source code for the attack was found on Github. This code revealed a try_gb parameter, with the range of 0 to 1,024, used to configure how much data to input to flood the target. However, it was discovered that attackers are able to modify this open-source code to create a self-compiled binary that floods the host with even greater amounts of UDP packets.

In the case of the Slowloris attack, cybercriminals launched DDoS with the slowhttptest utility. The attackers were able to create a self-compiling binary that is unidentifiable in malware scans.

Protection from these Kubernetes attacks requires vigilant assurance policies and prevention of images other than compliant ones to run in the system. Non-compliant images will then be blocked when intrusion attempts are made.

Man in the Middle Attacks With LoadBalancer or ExternalIPs

An attack affecting all versions of Kubernetes involves multi-tenant clusters. The most vulnerable clusters have tenants that are able to create and update services and pods. In this breach, the attacker can intercept traffic from other pods or nodes in the cluster by creating a ClusterIP service and setting the spec.externalIP's field. Additionally, a user who is able to patch the status of a LoadBalancer service can grab traffic. The only way to mitigate this threat is to restrict access to vulnerable features. This can be done with the admission webhook container, externalip-webhook, which prevents services from using random external IPs. An alternative method is to lock external IPs with OPA Gatekeeper with this sample Constraint Templatecan.

Siloscape Malware

Security researcher, Daniel Prizmant, describes a newer malware attack that he calls Siloscape. Its primary goal is to escape the container that is mainly implemented in Windows server silo. The malware targets Kubernetes through Windows containers to open a backdoor into poorly configured clusters to run the malicious containers. While other malware attacks focus on cryptojacking, the Siloscape user's motive is to go undetected and open a backdoor to the cluster for a variety of malicious activities. This is possible since Siloscape is virtually undetectable due to a lack of readable strings in the binary.

This type of attack can prove catastrophic. It compromises an entire cluster running multiple cloud applications. Cybercriminals can access critical information including sign-ins, confidential files, and complete databases hosted inside the cluster. Additionally, organizations using Kubernetes clusters for testing and development can face catastrophic damage should these environments be breached.

To prevent a Siloscape attack, it is crucial that administrators ensure their Kubernetes clusters are securely configured. This will prevent the malware from creating new deployments and force Siloscape to exit. Microsoft also recommends using only Hyper-V containers as a security boundary for anything relying on containerization.

The Threat Matrix

The MITRE ATT&CK database details additional tactics and techniques attackers are using to infiltrate Kubernetes environments to access sensitive information, mine cryptocurrency, perform DDoS attacks, and other unscrupulous activities. The more commonly used methods are as follows:

  1. Kubernetes file compromise
    Because this file holds sensitive data such as cluster credentials, an attacker could easily gain initial access to the entire cluster. Only accept kubeconfig files from trusted sources. Others should be thoroughly inspected before they are deployed.
  2. Using similar pod names
    Attackers create similar pod names and use random suffixes to hide them in the cluster. The pods then run malicious code and obtain access to many other resources.
  3. Kubernetes Secrets intrusion
    Attackers exploit any misconfigurations in the cluster with the goal of accessing the API server and retrieving information from the Secrets objects.
  4. Internal network access
    Attackers able to access a single pod that communicates with other pods or applications can move freely within the cluster to achieve their goals.
  5. Using the writeable hostPath mount
    Attackers with permissions to create new containers can create one with a writeable hostPath volume.

Kubernetes Attacks: Key Takeaways

Kubernetes brings many advantages to organizations but also presents a variety of security risks, as documented above. However, by ensuring their environments are adequately protected through proper configuration and appropriately assigned permissions, the threat of Kubernetes attacks is greatly minimized. Should a container be compromised, properly assigned privileges can severely limit a cluster-wide compromise.

Prevasio assists companies in the management of their cloud security through built-in vulnerability and anti-malware scans for containers. Contact us for more information on our powerful CSPM solutions. Learn about how we can protect your company from Kubernetes attacks and other cyberattacks.