Security News > 2023 > April > Kubernetes RBAC abused to create persistent cluster backdoors
Hackers use a novel method involving RBAC to create persistent backdoor accounts on Kubernetes clusters and hijack their resources for Monero crypto-mining.
RBAC is a Kubernetes API access control system allowing admins to define which users or service accounts can access API resources and operations.
The initial access to the target Kubernetes cluster is achieved through unauthenticated requests from anonymous users with privileges, so the API server needs to be misconfigured.
Finally, the attacker creates a ClusterRoleBinding named 'system:controller:kube-controller,' binding the ClusterRole with the ServiceAccount to persist in the cluster even in the case that 'anonymous user access' is disabled.
The repercussions of the RBAC Buster attacks on Kubernetes clusters can be significant and include unauthorized access to data, exposure of secrets, resource hijacking, and potentially even reputation damage.
To mitigate the threat, secure the API server by disallowing unauthenticated requests from anonymous users and create and enforce strict API access policies by using RBAC effectively.