{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/admission-controller/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","admission-controller","privilege-escalation","persistence","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Kubernetes admission controller is a crucial component that governs API requests to a Kubernetes cluster. Attackers can modify mutating or validating webhook configurations to intercept and manipulate these requests. By creating, updating, or replacing these configurations, adversaries can inject malicious code, alter resource definitions, or even exfiltrate sensitive information like access credentials. This activity can lead to privilege escalation, persistence within the cluster, and ultimately, a compromise of the entire Kubernetes environment. The attacks are typically stealthy as they operate within the legitimate Kubernetes API framework, making detection challenging. This behavior is particularly concerning for organizations relying on Kubernetes for critical applications and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or a vulnerability in a deployed application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing admission controller configurations (mutatingwebhookconfigurations and validatingwebhookconfigurations) to identify potential targets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification:\u003c/strong\u003e The attacker uses \u003ccode\u003ekubectl\u003c/code\u003e or the Kubernetes API to create, update, or replace a webhook configuration. This involves crafting a malicious webhook that will intercept API requests.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWebhook Deployment:\u003c/strong\u003e The malicious webhook is deployed as a service within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI Interception:\u003c/strong\u003e When a user or application makes an API request that matches the webhook\u0026rsquo;s defined rules, the webhook intercepts the request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Injection:\u003c/strong\u003e The webhook injects malicious code or alters the API request to achieve the attacker\u0026rsquo;s objectives (e.g., granting unauthorized permissions, modifying resource configurations).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Privilege Escalation/Credential Access:\u003c/strong\u003e Depending on the injected code, the attacker achieves persistence by ensuring malicious code is always present, escalates privileges by modifying role bindings, or accesses credentials by intercepting secret creation requests.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration:\u003c/strong\u003e The attacker leverages their gained access to move laterally within the cluster or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Kubernetes admission controllers can have severe consequences. This can result in unauthorized access to sensitive data, complete cluster compromise, and denial of service. The impact ranges from data breaches and service disruptions to long-term persistence within the environment, allowing attackers to maintain control over the cluster. The stealthy nature of this attack makes it difficult to detect, potentially allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Admission Controller Modification\u0026rdquo; to your SIEM and tune it for your environment to detect suspicious modifications to webhook configurations (logsource: kubernetes, service: audit).\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for \u003ccode\u003ecreate\u003c/code\u003e, \u003ccode\u003edelete\u003c/code\u003e, \u003ccode\u003epatch\u003c/code\u003e, \u003ccode\u003ereplace\u003c/code\u003e, and \u003ccode\u003eupdate\u003c/code\u003e verbs on \u003ccode\u003emutatingwebhookconfigurations\u003c/code\u003e and \u003ccode\u003evalidatingwebhookconfigurations\u003c/code\u003e resources (logsource: kubernetes, service: audit).\u003c/li\u003e\n\u003cli\u003eImplement strong RBAC policies to limit access to Kubernetes API resources and prevent unauthorized modification of admission controller configurations.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing admission controller configurations to identify any unexpected or malicious webhooks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"/briefs/2024-11-kubernetes-admission-controller-modification/","summary":"An adversary modifies Kubernetes admission controller configurations to achieve persistence, escalate privileges, or gain unauthorized access to credentials within the cluster.","title":"Kubernetes Admission Controller Modification","url":"https://feed.craftedsignal.io/briefs/2024-11-kubernetes-admission-controller-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["azure","kubernetes","admission-controller","persistence","privilege-escalation","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKubernetes Admission Controllers are critical components that intercept and potentially modify requests to the Kubernetes API server. These controllers rely on admission webhooks (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) deployed within the cluster. A malicious actor can abuse these webhooks to establish persistence by modifying pod creation operations and injecting malicious containers into new pods via MutatingAdmissionWebhook. Alternatively, ValidatingAdmissionWebhook can be used to intercept API server requests, potentially exposing secrets and sensitive information. This activity allows for credential access and privilege escalation, impacting the overall security posture of the Kubernetes cluster.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure Kubernetes cluster, possibly through compromised credentials or a vulnerability in a deployed application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the existing Admission Controller configuration within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious MutatingAdmissionWebhook configuration to intercept pod creation requests.\u003c/li\u003e\n\u003cli\u003eThe malicious webhook is deployed to the cluster, configured to modify pod specifications.\u003c/li\u003e\n\u003cli\u003eWhen new pods are created, the webhook injects a malicious container into the pod specification before deployment.\u003c/li\u003e\n\u003cli\u003eThe malicious container executes within the newly created pod, providing the attacker with persistent access to the cluster.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious ValidatingAdmissionWebhook to intercept API requests.\u003c/li\u003e\n\u003cli\u003eThe webhook captures sensitive data, such as secrets, and sends it to an attacker-controlled server, resulting in credential access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising the Kubernetes Admission Controller can lead to persistent access within the cluster. The attacker can inject malicious containers into numerous pods, potentially affecting all applications deployed in the cluster. Sensitive information, like secrets, can be stolen, enabling lateral movement and privilege escalation within the Azure environment. The impact ranges from data breaches to complete cluster compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Kubernetes Admission Controller Configuration Change\u0026rdquo; to detect unauthorized modifications to Admission Controller configurations in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing Admission Controller configurations for any unexpected or malicious webhooks.\u003c/li\u003e\n\u003cli\u003eImplement strong RBAC policies to restrict access to Admission Controller configuration and prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for \u003ccode\u003eMICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO\u003c/code\u003e and \u003ccode\u003eMICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO\u003c/code\u003e operations to identify potential abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-azure-kubernetes-admission-controller/","summary":"An adversary can exploit Kubernetes Admission Controllers in Azure to achieve persistence, privilege escalation, or credential access by manipulating webhook configurations.","title":"Malicious Azure Kubernetes Admission Controller Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-kubernetes-admission-controller/"}],"language":"en","title":"CraftedSignal Threat Feed — Admission-Controller","version":"https://jsonfeed.org/version/1.1"}