Poisoned image to K8s to cloud

Type

Incident

Actors

❓Unknown

Pub. date

May 25, 2023

Initial access

End-user compromise

Impact

None

Targeted technologies

K8s Worker Node Docker

References

https://www.virusbulletin.com/conference/vb2023/abstracts/tales-cloud-csirt-lets-deep-dive-kubernetes-k8s-infection/

Status

Stub

Last edited

Jun 2, 2024 8:02 AM

[…] a real example of an AWS Kubernetes cluster infection through a software development supply chain compromise. The attackers were able to get AWS credentials from a DevOps workstation and use them to introduce a poisoned docker image into a Kubernetes cluster. It allowed them to move laterally within the cluster and to the cloud provider, retrieving secrets, passwords, tokens, and a bunch of other data. […] able to detect them just in time, as the attackers had retrieved secrets that would have allowed them to move laterally to other companies or execute a new docker image with nastier results.