Suspicious Pod Creation in Kubernetes System Namespace

Attackers can exploit the trust associated with the kube-system namespace in Kubernetes to deploy malicious pods. By naming these pods similarly to legitimate system pods (e.g., kube-proxy-bv61v), they attempt to blend in and avoid detection. This technique leverages the fact that system pods created by controllers like Deployments or DaemonSets have random suffixes in their names, making it difficult to distinguish malicious pods from legitimate ones based on naming conventions alone. The deployment of a backdoor container in the kube-system namespace alongside other administrative containers poses a significant risk.

Attack Chain

1. Compromise a Kubernetes cluster with sufficient privileges to deploy pods.
2. Identify existing pods in the kube-system namespace, noting naming conventions and suffixes.
3. Craft a pod manifest for a malicious container, naming it to resemble a legitimate system pod (e.g., kube-proxy-xxxx).
4. Deploy the malicious pod to the kube-system namespace using kubectl apply -f <pod_manifest.yaml>.
5. The malicious pod executes its intended function, such as establishing a reverse shell or providing unauthorized access.
6. The attacker maintains persistence by ensuring the malicious pod is recreated if deleted, possibly via a custom controller.
7. The attacker performs lateral movement to other resources within the cluster from the compromised pod.
8. The attacker achieves their objective, such as data exfiltration or denial of service, using the compromised pod as a base of operations.

Impact

Successful deployment of malicious pods in the kube-system namespace can lead to a range of impacts, including unauthorized access to sensitive resources, data exfiltration, and denial of service. This can compromise the entire Kubernetes cluster and any applications it hosts. The number of affected systems depends on the scope of the compromised cluster, but it could potentially impact all applications and data within the environment.

Recommendation

• Deploy the Sigma rule Creation Of Pod In System Namespace to your SIEM to detect suspicious pod creations in the kube-system namespace.
• Investigate any alerts generated by the Creation Of Pod In System Namespace Sigma rule to determine if the pod creation is legitimate or malicious.
• Implement strong RBAC policies to limit the ability of users and service accounts to create pods in the kube-system namespace.
• Regularly audit pod deployments in the kube-system namespace to identify any unauthorized or suspicious activity.