NSA, CISA Release Guidance on Kubernetes SecurityAgencies Spell Out Steps to Mitigate Risks
The National Security Agency and the Cybersecurity and Infrastructure Security Agency have released new guidance on Kubernetes security, providing advice on securing container environments from supply chain threats, insider threats and data exfiltration risks.
The guidance, released on Tuesday, reviews the security challenges in Kubernetes environments and describes hardening strategies for these infrastructures. These include such measures such as adopting network separation, deploying authentication and implementing misconfiguration management.
"The report details recommendations to harden Kubernetes systems," the agencies note. "Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, and using network separation, strong authentication and log auditing. Although this guidance is tailored to national security systems and critical infrastructure organizations, administrators of federal and state, local, tribal and territorial government networks are also encouraged to implement the recommendations provided."
Kubernetes is an open-source container-orchestration system used to automate deploying, scaling and managing containerized applications. The agencies note that hackers target Kubernetes for data theft and denial-of-service attacks. They describe risks, including:
- Supply chain risks: A vulnerable container or application from a third-party service provider can provide threat actors a foothold in the cluster. Hackers can compromise software and hardware that host Kubernetes, including worker nodes or systems that are part of the control plane, to gain access to the cluster.
- Remote access risks: Hackers can exploit vulnerabilities in Kubernetes clusters to gain remote access through exposed APIs in control panels and take over the system. The threat actors can also exploit flaws in worker nodes that host the kubelet and kube-proxy service that exists outside of the control panel to gain access. Attackers can exploit vulnerabilities in containerized applications that are outside of the cluster to make them remotely accessible. The attackers can then use these compromised devices for privilege escalation within the cluster.
- Insider threats: Attackers can exploit access given to Kubernetes administrators, users and cloud service or infrastructure providers to physically access the systems and compromise the Kubernetes environment.
The guidance recommends several steps that can be taken to strengthen Kubernetes containers. These include:
- Scanning containers and pods for vulnerabilities or misconfigurations and running them with the least privileges possible;
- Using network separation to control the extent of damage in case of a compromise;
- Deploying firewalls to limit unauthorized network connectivity and encryption to protect confidentiality;
- Using strong authentication and authorization to limit user and administrator access as well as to minimize the attack surface;
- Periodically reviewing all Kubernetes settings and scanning for vulnerabilities to appropriately account for risks and then apply patches accordingly;
- Performing log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
The NSA and CISA also warn that threat actors have been leveraging the computational power of Kubernetes for cryptomining attacks.
In July, security firm Intezer uncovered a hacking campaign that targeted Kubernetes environments using misconfigured Argo Workflows to deploy cryptominers (see: Hackers Target Kubernetes Using Misconfigured Argo Workflows).
In June, researchers at Palo Alto Networks' Unit 42 reported on a TeamTNT campaign that targeted Kubernetes clusters and created new malware called Black-T that integrated with open-source cloud-native tools to assist in their cryptojacking operations (see: TeamTNT Reportedly Eyes Credentials of AWS, Google Cloud).
Another report by Unit 42 described a malware variant that targeted poorly protected or misconfigured Windows containers to access Kubernetes clusters (see: Siloscape Malware Reportedly Targeting Windows Containers).