Full Report
We break down the primary attack vectors in containerized environments: exposed secrets, privilege misconfigurations, API compromise, and supply chain attacks.
Analysis Summary
# Tool/Technique: Container Infrastructure Exploitation
## Overview
This technique involves targeting containerized environments (Docker, Kubernetes) by exploiting misconfigurations, exposed secrets, and vulnerabilities in the container lifecycle. The primary goal is typically initial access to a cluster, followed by privilege escalation to the host and lateral movement across the infrastructure.
## Technical Details
- **Type**: Technique / Attack Framework
- **Platform**: Cloud/Linux (Docker, Kubernetes, Containerd)
- **Capabilities**: Credential theft, container escape, supply chain poisoning, and unauthorized API interaction.
- **First Seen**: Ongoing; significantly intensified with the 2014-2015 rise of Docker and subsequent Kubernetes adoption.
## MITRE ATT&CK Mapping
- **RECONNAISSANCE**
- T1592 - Gather Victim Host Information
- **INITIAL ACCESS**
- T1610 - Deploy Container
- T1190 - Exploit Public-Facing Application
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- **EXECUTION**
- T1611 - Escape to Host
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **CREDENTIAL ACCESS**
- T1552.007 - Unsecured Credentials: Container Secrets
- **LATERAL MOVEMENT**
- T1535 - Internal Spearphishing (within container networks)
## Functionality
### Core Capabilities
- **Credential Harvesting**: Extracting hardcoded API keys, environment variables, and SSH keys from container images or `.env` files.
- **API Misconfiguration Exploitation**: Leveraging unauthenticated access to the Docker Socket (`/var/run/docker.sock`) or Kubernetes API server to spin up rogue containers.
- **Privileged Container Escapes**: Utilizing the `--privileged` flag to gain access to the host machine’s devices and kernel.
### Advanced Features
- **Supply Chain Poisoning**: Injecting malicious layers into legitimate container images on public registries (e.g., Docker Hub) to facilitate widespread backdoors or cryptojacking.
- **Orchestration Manipulation**: Using compromised Service Account tokens to modify cluster deployments and persistent volume claims.
## Indicators of Compromise
- **File Names**: `docker.sock`, `.docker/config.json`, `k8s-service-account-token`
- **Network Indicators**:
- Access to `http://169.254.169.254` (Cloud Metadata Service)
- Unidentified traffic to `https://[api-server-ip]:6443` (Kubernetes API)
- **Behavioral Indicators**:
- Sudden spawning of `nsenter` or `chroot` commands from within a container.
- Large-scale pulls of unauthorized images from public registries.
- Deployment of high-CPU usage containers (Cryptominers).
## Associated Threat Actors
- **TeamTNT**: Heavily focused on Docker/K8s exploitation and credential theft.
- **Kinsing**: Known for exploiting misconfigured container APIs for cryptomining.
- **WatchDog**: Targets exposed cloud and container infrastructure.
## Detection Methods
- **Signature-based**: Scanning container images for known MD5/SHA256 hashes of cryptominers and common webshells.
- **Behavioral detection**: Monitoring for "Impossible Travels" of service account tokens and detecting sensitive file mounting (e.g., mounting `/` from the host).
- **YARA Rules**: Scanning container filesystems for patterns matching cloud provider secret formats (AWS keys, GCP service accounts).
## Mitigation Strategies
- **Secrets Management**: Use dedicated tools (HashiCorp Vault, AWS Secrets Manager) instead of environment variables or image-embedded secrets.
- **Hardening**: Implement **Pod Security Standards (PSS)** and **Admission Controllers** to block privileged containers.
- **Least Privilege**: Run containers as non-root users and set filesystems to read-only where possible.
- **Network Segmentation**: Use Network Policies to restrict container-to-container and container-to-API communication.
## Related Tools/Techniques
- **Peirates**: Kubernetes penetration testing tool.
- **CDK (Container Detection Kit)**: An exploitation toolkit for container escape and reconnaissance.
- **AmIInAShell**: A tool to check for container environments and escape vectors.