The US and UK authorities issued a joint alert a few weeks ago warning that the Russian APT-28 group has been using Kubernetes as an attack vector to break into the networks of private organizations and government institutions. They accessed this platform using password spraying techniques and once inside, they moved between the organizations' containers and escalated privileges by exploiting vulnerabilities, thus moving into their Cloud services but also accessing on-premises servers.
Diagram of Tactics Employed by Cyberattackers to Break into Networks via Kubernetes Source: CSA NSCC Joint Report.
Container Risks for Applications
Kubernetes is an open-source platform for managing workloads and services using containers in the Cloud. In computing, containers are a form of virtualization used to run everything from microservices to large-scale applications. All the necessary executables are inside the containers: binary code, libraries and configuration files.
It is a very useful tool for developers and IT professionals, as they can test applications in containers without having to make major changes to the environment and can manage and organize them into clusters, port them across platforms and scale them.
But like any platform, it can be exploited by hackers. A study published last June revealed that 89% of CISOs are concerned that microservices, containers and Kubernetes have cybersecurity "blind spots" because containers can elude traditional analysis by virtue of being segregated from the general environment where OS and other non-virtualized applications are located. The recent Password Spraying incident proves that these concerns are well-founded.
MFA and complete network security
Password Spraying is a brute-force attack in which the same password is tested on multiple accounts before repeating the process by trying a different one. Cybercriminals often use this technique as a first step in their attempts to gain access to systems. Although it is relatively effective, generally speaking the targeted account needs to have a very weak password or an unchanged default password. However, this incident proves that it is still being used, as was also demonstrated by the Citrix Cyberattack in 2019.
Therefore, to prevent cyberattacks such as the Kubernetes attack, MSPs must implement a proper password policy in organizations that involves the use of terms that are not easy to ascertain and are updated frequently. At WatchGuard we address this and, in fact, we highlight that in 81% of the incidents, hackers took advantage of weak passwords.
However, these best practices are not enough. In the case of Kubernetes, some analysts point out that the APT-28 group has sufficient capabilities for password spraying with strong passwords. And in any case, no matter how strong they are, they could also be used in credential stuffing if they have been exfiltrated and posted on the Dark Web.
To avoid these risks with passwords, WatchGuard Authpoint provides various secure multi-factor authentication (MFA) methods for users, from its DNA-signed Mobile App for the device to hardware tokens that generate one-time passwords (OTP) and last for 30 seconds. All of these make it extremely difficult for cybercriminals to use passwords to break into networks. Moreover, AuthPoint sends out an alert via push notifications if a password has been leaked and compromised.
In addition, WatchGuard Firebox advanced firewall appliances prevent intrusion into corporate networks such as APT-28's, thanks to their high-performance security that provides full visibility across the network. This will enable MSPs to prevent unauthorized access to organizations from external platforms such as Kubernetes.