{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kube-system/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Kubernetes"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","pod","kube-system","container"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers can exploit the trust associated with the kube-system namespace in Kubernetes to deploy malicious pods. By naming these pods similarly to legitimate system pods (e.g., kube-proxy-bv61v), they attempt to blend in and avoid detection. This technique leverages the fact that system pods created by controllers like Deployments or DaemonSets have random suffixes in their names, making it difficult to distinguish malicious pods from legitimate ones based on naming conventions alone. The deployment of a backdoor container in the kube-system namespace alongside other administrative containers poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise a Kubernetes cluster with sufficient privileges to deploy pods.\u003c/li\u003e\n\u003cli\u003eIdentify existing pods in the kube-system namespace, noting naming conventions and suffixes.\u003c/li\u003e\n\u003cli\u003eCraft a pod manifest for a malicious container, naming it to resemble a legitimate system pod (e.g., kube-proxy-xxxx).\u003c/li\u003e\n\u003cli\u003eDeploy the malicious pod to the kube-system namespace using kubectl apply -f \u0026lt;pod_manifest.yaml\u0026gt;.\u003c/li\u003e\n\u003cli\u003eThe malicious pod executes its intended function, such as establishing a reverse shell or providing unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious pod is recreated if deleted, possibly via a custom controller.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to other resources within the cluster from the compromised pod.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or denial of service, using the compromised pod as a base of operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deployment of malicious pods in the kube-system namespace can lead to a range of impacts, including unauthorized access to sensitive resources, data exfiltration, and denial of service. This can compromise the entire Kubernetes cluster and any applications it hosts. The number of affected systems depends on the scope of the compromised cluster, but it could potentially impact all applications and data within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCreation Of Pod In System Namespace\u003c/code\u003e to your SIEM to detect suspicious pod creations in the kube-system namespace.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCreation Of Pod In System Namespace\u003c/code\u003e Sigma rule to determine if the pod creation is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement strong RBAC policies to limit the ability of users and service accounts to create pods in the kube-system namespace.\u003c/li\u003e\n\u003cli\u003eRegularly audit pod deployments in the kube-system namespace to identify any unauthorized or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-07T14:23:50Z","date_published":"2024-11-07T14:23:50Z","id":"/briefs/2024-11-kubernetes-pod-creation/","summary":"An attacker may deploy a pod within the kube-system namespace in Kubernetes to mimic legitimate system pods and evade detection.","title":"Suspicious Pod Creation in Kubernetes System Namespace","url":"https://feed.craftedsignal.io/briefs/2024-11-kubernetes-pod-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Kube-System","version":"https://jsonfeed.org/version/1.1"}