Unit 42 Researchers Detected a New Malware Campaign Targeting Kubernetes Clusters
Report summary from Palo Alto Networks:
"In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used."
Cyber experts from Vulcan Cyber and nVisium weighed-in on this new research:
Tal Morgenstern, Co-Founder and CPO at Vulcan Cyber, a remediation intelligence provider:
“In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities. DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation especially for external-facing assets and high-risk vulnerabilities. It is very possible to quickly secure Kubernetes. The remedies are available, but it takes work, focus and cross-team collaboration to get fix done and prevent these kinds of attacks.”
Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider:
“This attack leveraged a common Kubernetes misconfiguration to gain persistence within the cluster. Combined with weakness in access control and isolation, this is a good way to gain a foothold into a cluster and establish command and control. As more production workloads move to cloud native, the complexity of securing clusters, software development pipelines, and cloud architectures becomes incredibly difficult, as the attack surface significantly expands.”