CheckRed Editorial
Three Kubernetes Security Incidents in 2024
Kubernetes, or K8s, has become a key technology for managing containerized applications, providing organizations with significant scalability and flexibility. However, this powerful platform also brings a range of security challenges that need to be addressed to protect sensitive data and maintain system integrity. Misconfigurations are one of the most common vulnerabilities in Kubernetes environments, often leading to unauthorized access and data breaches. As cyber threats grow more sophisticated, ensuring security in Kubernetes is crucial. By adopting effective security practices and addressing potential misconfigurations, organizations can reduce risks, protect their assets, and create a more secure cloud-native infrastructure.
In this blog, we take a look at three Kubernetes security incidents that occurred in 2024, and learn how organizations can prevent them.
1. TLS Bootstrap Attack
The Hacker News has reported that researchers have uncovered a security vulnerability affecting Microsoft Azure Kubernetes Services (AKS) that could enable attackers to escalate privileges and access sensitive credentials within the cluster. If exploited, an attacker with command execution capabilities in a pod could download configuration data, extract TLS bootstrap tokens, and perform a TLS bootstrap attack to access all secrets stored in the cluster. The flaw primarily impacts clusters using “Azure CNI” for network configuration and “Azure” for network policy.
The attack leverages a component called Azure WireServer to retrieve a key used for encrypting protected settings, allowing the attacker to decode provisioning scripts that contain critical information, such as TLS keys and certificates. Although the compromised account has minimal permissions, it can still list cluster nodes, and the TLS bootstrap token could grant access to all secrets used by workloads.
It is critical for organizations to implement restrictive NetworkPolicies to mitigate such attacks. This disclosure follows the identification of other significant vulnerabilities in Kubernetes, highlighting ongoing security concerns in cloud-native environments and the necessity for robust input sanitization and auditing practices.
2. Exploitation of OpenMetadata Flaws
In another K8 security incident, The Hacker News has learned that threat actors are exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads for cryptocurrency mining. According to Microsoft Threat Intelligence, these flaws have been actively used since early April 2024. The vulnerabilities, discovered by researcher Alvaro Muñoz, include several Spring Expression Language (SpEL) injection issues and an authentication bypass, all having CVSS scores between 8.8 and 9.8.
By targeting unpatched, internet-facing OpenMetadata workloads, attackers can bypass authentication and execute code within the containers. After gaining access, they evaluate how much control they can gain over the environment, often sending ping requests to verify connectivity to their own infrastructure.
Their primary objective is to install crypto-mining malware from a remote server, establishing command-and-control channels using tools like Netcat. Interestingly, some attackers have left personal notes expressing financial need, adding a human element to their actions.
To defend against these threats, OpenMetadata users are encouraged to adopt strong authentication practices, avoid default credentials, and keep their systems up to date. Following the disclosure, OpenMetadata has implemented patches to address these vulnerabilities, highlighting the critical need for secure configurations in open-source environments.
3. Misconfigured K8 Clusters Lead to Cryptojacking
Cybersecurity researchers have identified an active cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. Unfortunately, this operation is an updated variant of a financially motivated scheme first reported by CrowdStrike in March 2023. The attackers exploit anonymous access to internet-facing Kubernetes API servers to deploy malicious container images from Docker Hub, some of which have garnered over 10,000 pulls.
In this latest approach, the threat actors utilize safe-sounding DaemonSets named “k8s-device-plugin” and “pytorch-container” to run the miner across all nodes. The malicious container, cleverly named “pause,” mimics a legitimate container used for network isolation.
The miner itself is an obfuscated binary designed to evade detection by hard-coding wallet addresses and mining pool URLs, allowing it to operate without the usual command-line arguments that security systems monitor. The attackers have also registered innocuous-sounding domains to disguise their activities and blend in with legitimate traffic. These tactics illustrate the attackers’ adaptability and their ongoing efforts to evade detection and countermeasures.
Misconfigured Kubernetes Access – The Common Thread
A common thread in these recent cybersecurity incidents is the exploitation of misconfigured access in Kubernetes environments. Attackers are increasingly targeting vulnerabilities related to improperly secured API servers and anonymous authentication, allowing them to gain unauthorized entry into clusters. In the case of the TLS-Bootstrap vulnerability, threat actors could leverage weak configurations to escalate privileges and access sensitive data. Similarly, the cryptojacking campaign highlights how attackers exploit open access to deploy malicious containers and mine cryptocurrency. These incidents underscore the critical importance of implementing strong security practices, such as enforcing strict access controls, regularly auditing configurations, and applying timely updates. Organizations must prioritize the security of their Kubernetes environments to prevent exploitation and protect their resources from these evolving threats.
CheckRed for Kubernetes Security Posture Management
CheckRed offers a unified approach to securing cloud environments through Kubernetes Security Posture Management (KSPM), Cloud-Native Application Protection Platform (CNAPP), and SaaS Security Posture Management (SSPM). This all-in-one platform allows organizations to protect their entire cloud, from K8 clusters to containerized applications to even SaaS applications. By providing visibility and proactive risk mitigation across all layers, CheckRed enhances overall security posture and ensures compliance. Get in touch to know more!
See CheckRed in Action
Dive into the future with our interactive demo
and explore the possibilities.
Related Posts
