Attackers don't need to be geniuses to attack Kubernetes instances. But good practices can block them.

September 22, 2021

Last week I read an article about an attack, and I was shocked by the "academic" aspect of the attack.

Attackers use open-source tools and use them as is, and it works! In a nutshell how do they proceed?

  1. Scan Internet to discover misconfigured/unconfigured services. With an open-source tool like masscan, they can scan the whole Internet in 2 hours.
  2. Retrieve passwords on a local machine. Once again, with an open-source tool like LaZagne they retrieve a lot of passwords from plaintext, APIs, databases…
  3. Install a coin miner to make $$$.

They have already infected more than 5000 victims, don’t be the next one on the list.

So how to protect your infrastructure? It is really like in real life, you need to have visibility (surveillance camera) and set up some rules (security policy).

What is Kubernetes visibility?

You need to know what is running in all your Kubernetes infrastructure that can be very complex and multi-cloud. With VMware Carbon Black centralized Dashboard, you can have visibility on all your K8s clusters and their network settings. For example, in the following configuration, there’s only one Load balancer in the network topology, if a new Internet access is created by mistake, you will see it immediately:

image 39

Secondly, you need to set policies, based on rules. Of course, you don’t know everything about Kubernetes, that’s why we are providing policy templates to help you to detect/block dangerous behaviors. If you think of an attack for crypto mining, the main risk is the usage of all CPUs for crypto mining, so you can enforce the practice of setting up a CPU quota on all your containers.

image-20210915112955-1

 

And because new vulnerabilities are discovered every day, our vulnerability scanner can help to reduce your attack surface by highlighting vulnerabilities and identifying available fixes. An analogy with the physical world would looks like doing maintenance of leaking pipe:

image-20210915112955-2

 

Conclusion

Using Kubernetes it is easy to set up new services for your organizations and your customers, but misconfiguration can open the door to attacks in a very short time, so don’t forget to close the door of your house!

Additional Resources

Filter Tags

Securing Modern Applications Container Blog Opinion Overview VMware Security

Stéphane List

Read More from the Author

Staff Technical Marketing Architect, VMware Security Stéphane has over twenty years’ experience in opensource. He has worked in both development and sales role in France for large companies and startups. He has participated in the development of many different Linux project from mobile phone to firewalls. Now with 10 years’ experience in security, he is architect at VMware Carbon Black for Linux and containers security.