https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster

Aqua Security's investigation shed light on some staggering vulnerabilities:

• Over 350 exposed Kubernetes clusters were identified across various sectors.
• A concerning 60% of these were already compromised, tainted with malicious scripts and code.

The Misconfigurations: A Chink in the Armor

Two significant misconfigurations were spotlighted by Aqua:

1. Anonymous Access: It's akin to leaving your home's front door wide open, inviting trouble. This is really worrying.
2. Exposed kubectl Proxy: This vulnerability effectively broadcasts an open invitation to cyber adversaries.

Active Threats: Not Just Theoretical

Aqua's report wasn't just about potential risks; it highlighted active threats:

1. Lchaia/xmrig Campaign

   • This campaign deployed a container image (lchaia/xmrig:latest) from Docker Hub designed to mine the Monero cryptocurrency. The mining was directed to the pool moneroocean.stream.

2. ssww Attack

   • A more aggressive campaign. The attacker first lists all available nodes, then neutralizes some competing campaigns. The attacker deploys a daemonset with a cron command that mounts the host filesystem with root privileges. This setup ensures persistence and high privileges on each host. When the cron is executed, a cryptominer begins its operation.

3. Dero Campaign

   • Initially reported by CrowdStrike, this campaign focused on the Dero cryptocurrency. While CrowdStrike reported on one specific container image, Aqua Security discovered additional active container images under the same account, all aimed at cryptomining.

4. RBAC buster campaign

   • This campaign exploits the Role-Based Access Control (RBAC) in Kubernetes to create a concealed backdoor. It's designed to exploit permissions and roles to gain unauthorized access.

5. TeamTNT campaign

   • A highly aggressive campaign wherein TeamTNT searches for and collects tokens from cloud service providers such as AWS, Azure, and GCP. Once these credentials are obtained, they're used to gather more information about the cloud account and potential targets within, including storage environments, Lambdas, and other functions.

In light of these findings, Aqua Security proposed several measures to bolster Kubernetes security:

1. Focused Training: Equip your team with knowledge about these vulnerabilities and best practices to counteract them.
2. Tightening kubectl proxy: Restrict access to ensure only authenticated, trusted entities can interact.
3. Implementing RBAC & Routine Audits: Continually monitor activity, allowing for swift identification and rectification of any anomalies.