{"id":816,"date":"2023-04-30T13:32:03","date_gmt":"2023-04-30T08:02:03","guid":{"rendered":"https:\/\/www.kubetools.io\/?p=816"},"modified":"2023-05-03T11:10:48","modified_gmt":"2023-05-03T05:40:48","slug":"kubestalk-uncovering-hidden-security-risks-in-your-kubernetes-clusters","status":"publish","type":"post","link":"https:\/\/www.kubetools.io\/kubestalk-uncovering-hidden-security-risks-in-your-kubernetes-clusters\/","title":{"rendered":"Kubestalk: Uncovering Hidden Security Risks in Your Kubernetes Clusters"},"content":{"rendered":"
<\/p>\n
<\/p>\n
Kubernetes<\/a> is a popular container orchestration platform used to deploy, scale and manage containerized applications. Kubestalk is a tool that integrates with Kubernetes to help you manage Kubernetes resources using GitOps principles. In this blog, we will provide an introduction to Kubestalk, discuss how to install it, and explore real-world use-cases with code snippets in YAML.<\/p>\n Kubestalk<\/a> is an open-source GitOps tool for Kubernetes, developed by the Kubestalk team. It allows you to manage Kubernetes resources using GitOps principles, which means that all configuration changes are made through code stored in Git. This approach provides a number of benefits, including version control, collaboration, and automated deployments.<\/p>\n Kubestalk works by watching a Git repository for changes to configuration files, and then applying those changes to a Kubernetes cluster. This allows you to use Git as the single source of truth for your Kubernetes resources, and makes it easy to roll back changes if necessary.<\/p>\n First things first, let us get a quick understanding of the working architecture of Kubernetes.<\/p>\n A Kubernetes cluster consists of a set of worker machines, called nodes that run containerized applications. A pod is the smallest unit in Kubernetes, hosting one or more containers. A control plane\/master node manages the worker nodes and the pods in the cluster.<\/p>\n The control plane includes components such as:<\/p>\n A few components on each node maintain the running pods and provide a runtime environment to it:<\/p>\n The initial idea was to cover the basic components of Kubernetes instances. However, the attack surface gradually widened during the course of research.<\/p>\n The scanning timeline spanned over a period of 59 hours distributed across many nodes spread across the internet. The United States alone accounted for almost 57% of the total exposures, followed by Germany, Belgium, Ireland, Singapore and Japan. Findings showed around 61% of the exposures were hosted in public clouds, with Google Cloud Platform (GCP) leading the most exposure counts<\/p>\n Most affected versions \u2013 v1.21 and v1.22<\/p>\n An architectural overview of the tool is depicted in the flowchart below:<\/p>\n <\/a><\/p>\n Additional Attack Surface \u2013 Kubernetes Management Components<\/p>\n Apart from the regular default components, we discovered developers using additional software to manage their Kubernetes infrastructure, which also poses a significant security risk if misconfigured cAdvisor is a container metric engine that provides developers with an overview of their resource usage and the performance of their containers.<\/p>\n The software exposes a Web UI for viewing the resource metrics. It includes system processes, CPU, memory, network and filesystem usage statistics.<\/p>\n Found a total of 23,101 unauthenticated cAdvisor dashboards exposed.<\/p>\n The Deep Analysis of Compromised Clusters revealed the presence of adversaries deploying malicious cryptominers inside the compromised clusters.<\/p>\n It was discovered that many instances had traces and IoCs of the Hildegard malware. Furthermore, a script attributed to TeamTNT was found on one of the instances, which had a detection rate of zero on VirusTotal.<\/p>\n As an attacker, gaining code execution (RCE) in a running container through unsecured API servers or Kubelets is possible.<\/p>\n KubeStalk is written in Python and requires the requests library.To install the tool, you can clone the repository to any directory:<\/p>\n Once cloned, you need to install the requests library using python3 -m pip install requests or:<\/p>\n Everything is setup and you can use the tool directly.<\/p>\n A list of command line arguments supported by the tool can be displayed using the -h flag.<\/p>\n To use the tool, you can pass one or more hosts to the script. Kubestalk is a powerful tool for identifying security vulnerabilities in Kubernetes clusters and the external tools used to manage them.<\/p>\n Its various modules enable security teams to assess different areas of a Kubernetes environment, including the nodes, containers, and network.<\/p>\n Additionally, Kubestalk can detect various types of threats, such as misconfigurations, privilege escalations, and malware. It is important to note that Kubestalk should not be the only security tool used and that regular security assessments should be conducted to ensure the ongoing protection of Kubernetes environments.<\/p>\n <\/p>\n Kubernetes is a popular container orchestration platform used to deploy, scale and manage containerized applications. Kubestalk is a tool that integrates with Kubernetes to help you manage Kubernetes resources using GitOps principles. In this blog, we will provide an introduction to Kubestalk, discuss how to install it, and explore real-world use-cases with code snippets […]<\/p>\n","protected":false},"author":4,"featured_media":820,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,9,15],"tags":[11],"_links":{"self":[{"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/posts\/816"}],"collection":[{"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/comments?post=816"}],"version-history":[{"count":5,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/posts\/816\/revisions"}],"predecessor-version":[{"id":824,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/posts\/816\/revisions\/824"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/media\/820"}],"wp:attachment":[{"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/media?parent=816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/categories?post=816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kubetools.io\/wp-json\/wp\/v2\/tags?post=816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>Introduction to Kubestalk<\/h2>\n
<\/a>Mapping the Attack Surface<\/h2>\n
<\/a>Working Architecture<\/h2>\n
<\/a>Kubernetes Core Architecture<\/h3>\n
\n
\n
<\/a>Kubestalk Methodology<\/h2>\n
\nBroken down our findings into two major parts.<\/p>\n\n
\nLet’s take a look at one component .<\/p>\n<\/a>cAdvisor<\/h2>\n
<\/a>Deep Analysis of Compromised Clusters<\/h2>\n
<\/a>How script works<\/h2>\n
\n
<\/a>A Hacker’s Point of View<\/h2>\n
\n
\n
curl -sk 'https:\/\/<ip>:10250\/pods' | jq -r '.items[] | \"Pod: \\(.metadata.name)\\tNamespace: \\(.metadata.namespace)\\tContainer: \\(.spec.containers[].name)\"'\r\n<\/code><\/pre>\n
<\/a>Installation of Kubestalk<\/h2>\n
git clone https:\/\/github.com\/redhuntlabs\/kubestalk\r\n<\/code><\/pre>\n
python3 -m pip install -r requirements.txt\r\n<\/code><\/pre>\n
<\/a>Command-line Arguments<\/h2>\n
$ python3 kubestalk.py -h\r\n\r\n +---------------------+\r\n | K U B E S T A L K |\r\n +---------------------+ v0.1\r\n\r\n[!] KubeStalk by RedHunt Labs - A Modern Attack Surface (ASM) Management Company\r\n[!] Author: 0xInfection (RHL Research Team)\r\n[!] Continuously Track Your Attack Surface using https:\/\/redhuntlabs.com\/nvadr.\r\n\r\nusage: .\/kubestalk.py <url(s)>\/<cidr>\r\n\r\nRequired Arguments:\r\n urls List of hosts to scan\r\n\r\nOptional Arguments:\r\n -o OUTPUT, --output OUTPUT\r\n Output path to write the CSV file to\r\n -f SIG_FILE, --sig-dir SIG_FILE\r\n Signature directory path to load\r\n -t TIMEOUT, --timeout TIMEOUT\r\n HTTP timeout value in seconds\r\n -ua USER_AGENT, --user-agent USER_AGENT\r\n User agent header to set in HTTP requests\r\n --concurrency CONCURRENCY\r\n No. of hosts to process simultaneously\r\n --verify-ssl Verify SSL certificates\r\n --version Display the version of KubeStalk and exit.\r\n<\/code><\/pre>\n
<\/a>Basic Usage<\/h2>\n
\nA basic usage is as below:<\/p>\n$ python3 kubestalk.py https:\/\/\u2588\u2588\u2588.\u2588\u2588.\u2588\u2588.\u2588\u2588\u2588:10250\r\n\r\n +---------------------+\r\n | K U B E S T A L K |\r\n +---------------------+ v0.1\r\n\r\n[!] KubeStalk by RedHunt Labs - A Modern Attack Surface (ASM) Management Company\r\n[!] Author: 0xInfection (RHL Research Team)\r\n[!] Continuously Track Your Attack Surface using https:\/\/redhuntlabs.com\/nvadr.\r\n\r\n[+] Loaded 10 signatures to scan.\r\n[*] Processing host: https:\/\/\u2588\u2588\u2588.\u2588\u2588.\u2588\u2588.\u2588\u2588:10250\r\n[!] Found potential issue on https:\/\/\u2588\u2588\u2588.\u2588\u2588.\u2588\u2588.\u2588\u2588:10250: Kubernetes Pod List Exposure\r\n[*] Writing results to output file.\r\n[+] Done.\r\n<\/code><\/pre>\n
<\/a>Conclusion<\/h2>\n
\nBy using Kubestalk, organizations can proactively identify and remediate security risks in their Kubernetes clusters, ultimately improving the overall security posture of their infrastructure.<\/p>\nLearn More:<\/h2>\n
\n