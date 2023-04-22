An extensive was discovered countryside attack where Role-Based Access Control (RBAC) was exploited by Kubernetes (K8s) to create backdoors and run cryptocurrency miners.

What are Kubernetes and RBAC exactly?

Before continuing, let’s explain what RBAC and Kubernetes are.

Kubernetes is an open-source container management automation system that makes it easy to deploy, scale, and manage containerized applications across multiple hosts. Kubernetes is based on the concept of container orchestration, where a Kubernetes instance coordinates the deployment and management of containers across multiple nodes within a cluster.

Basic Access Control in Kubernetes is managed through Basic Access Control (ABAC extension), but there are also other more advanced access control modes, including role-based access control (RBA extension). Role-based access control is an advanced security feature that allows you to define specific roles within the system and assign specific permissions to those roles. This allows IT teams to manage access to Kubernetes components in a granular way specific to the role of each user or group of users.

In essence, role-based access control in Kubernetes helps ensure that only authorized people have access to system resources, such as cluster nodes and running containers. This helps protect the system against both external and internal attacks, including those that aim to create backdoors or perform malicious activities, such as cryptocurrency mining for one thing.

Here are the Kubernets issues with RBAC

“Hackers have also implemented DaemonSets to take control and hijack the resources of the attacking K8s clusterscloud security firm Aqua said in a relationship; the Israeli firm, which it dubbed the RBAC Buster attack, uncovered 60 exposed cluster K8s that were exploited by the threat actor behind this campaign.

The series of hacks began with the attacker gaining initial access through a misconfigured API server, followed by checking for any evidence of competing malware miners on the compromised server, and then using RBAC to configure persistence.

“The attacker created a new ClusterRole with quasi-admin privileges“said the company. “Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Finally, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and unsuspecting persistence“.

In the observed intrusion against its K8s honeypots, the attacker attempted to use exposed AWS access keys to gain a firm grip on the environment, steal data, and break out of cluster boundaries.

The last step of the attack involved the threat actor creating a DaemonSet to deploy a Docker-hosted container image (“kubernetesio/kube-controller:1.0.1”) to all nodes. The container, which has been downloaded 14,399 times since it was uploaded five months ago, contains a cryptocurrency miner.

“L’container image named ‘kubernetesio/kube-controller’ is a case of typosquatting impersonating the legitimate account ‘kubernetesio’“Aqua said. “The image also mimics the image of the popular ‘kube-controller-manager’ container, which is a critical control plane component, running inside a Pod on each master node, responsible for fault detection and response of the nodes.”

Interestingly, some of the tactics featured in the campaign have similarities to one another illegal operation cryptocurrency mining that also exploited DaemonSets to generate Dero and Monero. It is currently unclear whether the two sets of attacks are related.