<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Vulnerability-Scan - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/vulnerability-scan/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/vulnerability-scan/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Security Scanner Image Pulling Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-kubernetes-scanner-pull/</link><pubDate>Wed, 03 Jan 2024 15:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-kubernetes-scanner-pull/</guid><description>Detection of Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon being pulled, indicating potential vulnerability assessment and reconnaissance activity within the Kubernetes environment.</description><content:encoded><![CDATA[<p>This analytic detects the pulling of known Kubernetes security scanner images, specifically kube-hunter, kube-bench, and kube-recon. These tools are often used to identify vulnerabilities within a Kubernetes cluster. The detection leverages Kubernetes logs, specifically monitoring for messages indicating the pulling of these images. While security teams may use these tools for legitimate security assessments, their presence can also signify malicious reconnaissance by an attacker seeking to exploit weaknesses in the Kubernetes environment. The activity was initially observed on 2026-04-15, and the detection logic was published shortly after on 2026-04-17. Defenders should investigate any unauthorized pulling of these images.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to the Kubernetes environment through various means, such as exploiting a misconfigured service or compromised credentials.</li>
<li><strong>Privilege Escalation:</strong> The attacker attempts to escalate privileges within the cluster to gain broader access to resources and information.</li>
<li><strong>Image Pulling:</strong> The attacker initiates the pulling of security scanner images like kube-hunter, kube-bench, or kube-recon into the Kubernetes environment using <code>kubectl</code> or other Kubernetes management tools.</li>
<li><strong>Reconnaissance:</strong> The attacker executes the security scanner tools within the Kubernetes cluster to identify potential vulnerabilities and misconfigurations. These tools perform automated scans and report findings.</li>
<li><strong>Lateral Movement:</strong> Based on the identified vulnerabilities, the attacker attempts to move laterally within the cluster, accessing sensitive data or compromising other containers and pods.</li>
<li><strong>Data Exfiltration/System Compromise:</strong> The attacker exploits discovered vulnerabilities to exfiltrate sensitive data or compromise critical systems within the Kubernetes cluster.</li>
<li><strong>Persistence:</strong> The attacker establishes persistent access within the cluster to maintain control and potentially re-exploit vulnerabilities in the future.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful execution of this attack chain can lead to the complete compromise of the Kubernetes cluster. This includes the exfiltration of sensitive data, the disruption of services, and the potential for further attacks on connected systems. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. Even if the attacker fails to fully compromise the environment, the reconnaissance phase can expose vulnerabilities that could be exploited in future attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Kubernetes Scanner Image Pulling</code> to your SIEM to detect the pulling of known Kubernetes security scanner images.</li>
<li>Investigate any instances of security scanner image pulling to determine if the activity is authorized and legitimate.</li>
<li>Implement strong access control policies and regularly review Kubernetes configurations to minimize the attack surface and prevent unauthorized access to sensitive resources.</li>
<li>Monitor Kubernetes audit logs for suspicious activity and enforce multi-factor authentication to protect against credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>container</category><category>vulnerability-scan</category></item></channel></rss>