Thought leadership. Threat analysis. Cybersecurity news and alerts.
What Is Kubernetes and How to Protect This Attack Surface
Kubernetes is fast becoming the target of attackers to steal data, steal computing power, or cause a denial of service.
What Is Kubernetes?
Kubernetes is an open-source system that’s often hosted in the cloud. It’s used to automate the deployment, scaling, and management of applications. Companies that use Kubernetes include Google and Tesla.
Google originally developed and released Kubernetes as open-source in 2014. Google Cloud is the known birthplace of Kubernetes. Kubernetes development drew inspiration from Google’s Borg.
“Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines,” Google said. “It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior.”
While Kubernetes offers users a way to automate the deployment, scaling, and management of applications, it presents complexities. "Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations,” the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency said in the advisory “Kubernetes Hardening Guidance.”
In February 2018, researchers at RedLock discovered that attackers had infiltrated Tesla’s Kubernetes console which wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said.
According to RedLock researchers, attackers in the Tesla case stole the computing power for crypto mining from within one of Tesla’s Kubernetes pods. The researchers added that the attackers used the following evasion techniques to hide the illicit crypto mining:
. The attackers didn’t use a well-known public “mining pool” in this attack, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.
. The attackers hid the true IP address of the mining pool server behind a free content delivery network (CDN) service, making IP address-based detection of crypto mining activity difficult.
. The mining software was configured to listen on a non-standard port, making it difficult to detect malicious activity based on port traffic.
. The attackers configured the mining software to keep the usage low to evade detection.
Common Sources of Compromise in Kubernetes
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, the three common sources of compromise in Kubernetes are malicious threat actors, supply chain risks, and insider threats.
Malicious Threat Actors
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, malicious threat actors often target the following Kubernetes architecture for remote exploitation: control plane, worker nodes, and containerized applications.
The Kubernetes control plane is used to track and manage the cluster. The agencies said the Kubernetes control plane lacking appropriate access controls is often taken advantage by attackers.
The Kubernetes worker nodes host the kubelet and kube-proxy service. According to the said agencies, worker nodes are potentially exploitable by attackers.
The agencies added that the containerized applications running inside the Kubernetes cluster are common targets. "An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources,” the agencies said.
Supply Chain Risks
In supply chain risks, attackers may compromise a third-party software and vendors used to create and manage the Kubernetes cluster.
A malicious third-party application running in Kubernetes could provide attackers with a foothold. The compromise of the underlying systems (software and hardware) hosting Kubernetes could provide attackers with a foothold as well.
Insiders threats refer to individuals from within the organization who use their special knowledge and privileges against Kubernetes clusters. These individuals can be administrators, users, and cloud service or infrastructure provider.
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, Kubernetes administrators have control over the Kubernetes environment, giving them the ability to compromise the Kubernetes environment.
Users who have knowledge and credentials to access containerized services in the Kubernetes cluster could compromise the Kubernetes environment as well. Cloud service or infrastructure provider, meanwhile, has access to physical systems or hypervisors managing Kubernetes nodes. This access could be used to compromise a Kubernetes environment.
Cybersecurity Best Practices
The U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency recommend the following best practices in order to protect your organization’s Kubernetes environment:
Steve E. Driz, I.S.P., ITCP