Full Report
Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments. The post Understanding Current Threats to Kubernetes Environments appeared first on Unit 42.
Analysis Summary
Based on the Unit 42 research regarding escalating threats to Kubernetes (K8s) environments, here is a summary focused on the predominant malware families, tools, and techniques currently being utilized by threat actors.
---
# Tool/Technique: Deployment of Malicious K8s Containers (Kinsing/Deksiam)
## Overview
Threat actors are increasingly exploiting misconfigured Kubernetes APIs and vulnerable container images to deploy malicious workloads. The primary objective is typically resource hijacking (cryptojacking) or establishing a foothold for lateral movement within cloud service provider (CSP) environments.
## Technical Details
- **Type:** Malware Family & Tactical Technique
- **Platform:** Linux, Kubernetes, Docker
- **Capabilities:** Cryptomining, credential harvesting (Cloud metadata), lateral movement, and rootkit-like persistence.
- **First Seen:** Approximately 2020 (actively evolving in 2024 with K8s-specific modules).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1610 - Deploy Container]
- **[TA0006 - Credential Access]**
- [T1552.005 - Cloud Instance Metadata Service]
- **[TA0007 - Discovery]**
- [T1613 - Container and Resource Discovery]
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking]
## Functionality
### Core Capabilities
- **Automated Scanning:** Scans for exposed `kubelet` ports (10250) and unauthenticated Docker APIs.
- **Resource Exhaustion:** Deployment of Monero (XMRIG) miners disguised as legitimate system processes.
- **Persistence:** Uses `Cron` jobs within the container and `DaemonSets` to ensure the malware runs on every node in the cluster.
### Advanced Features
- **Cloud Metadata Interrogation:** Specifically targets the Instance Metadata Service (IMDS) to steal IAM roles and pivot from the K8s cluster to the broader AWS/Azure/GCP infrastructure.
- **Kernel Rootkits:** Use of LDPRELOAD or eBPF-based kits to hide malicious processes from standard monitoring tools.
## Indicators of Compromise
- **File Hashes:**
- (Kinsing) `7905d4f3b118b76c8c15664a781b0f55c2cd173b` (SHA1)
- **File Names:** `kinsing`, `kdevtmpfsi`, `libsystem.so`
- **Network Indicators:**
- `93.189.42[.]8` (C2 Server)
- `http://45.10.88[.]102/kin.sh` (Installer script)
- **Behavioral Indicators:** Unexpected `kubectl exec` commands, high CPU usage on worker nodes, and outbound traffic to known mining pools (e.g., `monerohash[.]com`).
## Associated Threat Actors
- **Kinsing (H2Miner)**
- **TeamTNT**
- **Deksiam** (Targeting K8s via vulnerable images)
## Detection Methods
- **Signature-based:** Monitoring for known shell script patterns (e.g., scripts that disable `selinux` or `iptables`).
- **Behavioral detection:** Profiling "normal" container behavior and alerting on unexpected `exec` calls into running pods.
- **YARA rules:** Scanning container images for embedded private keys or mining configuration files.
## Mitigation Strategies
- **API Hardening:** Disable unauthenticated access to the Kubelet API.
- **Admission Controllers:** Use Pod Security Admissions (PSA) to prevent the deployment of privileged containers.
- **IMDS Protection:** Enforce IMDSv2 (for AWS) and limit hop limits to prevent container-to-metadata access.
- **Network Policy:** Implement "Default Deny" egress policies to block communication with unknown IPs/mining pools.
## Related Tools/Techniques
- **Peirates:** A K8s penetration testing tool often used by actors for discovery.
- **RBAC Over-privileging:** The technique of exploiting "Cluster-Admin" roles assigned to service accounts.
- **ArgoCD/Helm Exploitation:** Using CI/CD tools to inject malicious manifests into the cluster.