Attack Chain

1. Initial Access: An attacker identifies a publicly exposed AI application endpoint (e.g., Mage AI, MCP server, kagent) on a Kubernetes cluster.
2. Unauthenticated Access: The attacker accesses the application without authentication due to missing or weak authentication mechanisms.
3. Command Execution (Mage AI): If targeting Mage AI, the attacker uses the exposed web UI to execute shell commands within the application’s environment, leveraging the mounted service account.
4. Privilege Escalation (Mage AI): The attacker leverages the highly privileged service account (bound to cluster-admin roles by default) to gain cluster-wide administrative access.
5. Lateral Movement (kagent): If targeting kagent, the attacker interacts with the AI agent (e.g., k8s-agent) to perform operations on the Kubernetes cluster.
6. Credential Access (kagent): The attacker uses the AI agent to exfiltrate credentials (e.g., Azure OpenAI API keys) from other workloads running on the cluster.
7. Malicious Configuration (kagent): The attacker configures malicious models and AI agents within the kagent application for persistence or further malicious activities.
8. Impact: The attacker achieves remote code execution, steals sensitive data, and gains unauthorized access to internal tools and operational capabilities, potentially leading to full compromise of the Kubernetes cluster and connected cloud resources.

Impact

Exploitable misconfigurations in AI applications can lead to significant damage, including remote code execution, credential theft, and unauthorized access to sensitive data. Defender for Cloud signals indicate that more than half of cloud-native workload exploitations stem from misconfigurations. Exposed MCP servers have allowed unauthenticated access to sensitive internal tools like ticketing systems, HR systems, and private code repositories. In the case of Mage AI, default configurations led to internet-accessible shell access with high privileges. Successful exploitation can lead to full compromise of Kubernetes clusters and connected cloud resources.

Recommendation

• Enable authentication on all AI application endpoints, including MCP servers, Mage AI, and kagent, to prevent unauthenticated access.
• Review and restrict service account permissions in Kubernetes to follow the principle of least privilege, mitigating the impact of compromised applications (reference: Mage AI cluster-admin role).
• Deploy the Sigma rule “Detect Publicly Exposed Kubernetes Services” to identify potentially vulnerable AI application deployments.
• Enable Microsoft Defender for Cloud to detect exposed Kubernetes services and unsafe deployment patterns.
• For kagent deployments, ensure proper authentication is configured and restrict the AI agent’s access to sensitive resources to prevent credential exfiltration (reference: Azure OpenAI API keys).
• Patch Mage AI deployments to versions where authentication is enabled by default (if not already done).