Kubernetes Misconfigurations Let Attackers Access Cloud Accounts
Key Takeaways Attackers are increasingly exploiting misconfigured Kubernetes clusters to breach cloud environments. Telemetry data shows a 282% increase in Kubernetes-related threat operations,...
Key Takeaways
- Attackers are increasingly exploiting misconfigured Kubernetes clusters to breach cloud environments.
- Telemetry data shows a 282% increase in Kubernetes-related threat operations, including service account token theft, over the past year.
- North Korean state-sponsored group Slow Pisces (Lazarus/TraderTraitor) leveraged a stolen Kubernetes service account token to steal millions from a cryptocurrency exchange.
- The attack chain typically involves gaining container code execution, stealing service account tokens, and using them to pivot into the broader cloud infrastructure.
- Defenders must implement strict RBAC, use short-lived tokens, and deploy robust runtime monitoring and audit log analysis to mitigate these threats.
Attackers Leverage Kubernetes Misconfigurations for Cloud Account Breaches
Kubernetes, a foundational platform for managing containerized applications across enterprises, is increasingly becoming a target for sophisticated threat actors. These adversaries are actively exploiting misconfigurations within Kubernetes clusters to break out of individual containers and gain unauthorized access to the underlying cloud accounts.
Table Of Content
Recent telemetry data highlights a significant surge in malicious activity targeting Kubernetes. Over the past year, Kubernetes-related threat operations, particularly those involving service account token theft, have escalated by 282%. The information technology sector bore the brunt of these attacks, accounting for over 78% of all observed incidents, according to a recent report.
From Container to Cloud: A Calculated Escalation
These attacks are not opportunistic but rather highly calculated. Adversaries are moving beyond simple container escapes, instead focusing on abusing weak identity configurations and overly permissive access controls. This allows them to establish an initial foothold and then systematically pivot into core cloud infrastructure.
Analysis of cloud environments in 2025 revealed that approximately 22% exhibited suspicious activity directly linked to service account token theft. The attack methodology typically follows a consistent pattern: achieve code execution within a container, extract mounted credentials, enumerate API permissions, and then pivot towards more valuable cloud resources. Researchers at Unit 42 identified this escalating threat through real-world intrusion cases, demonstrating how the combination of Kubernetes misconfigurations and cloud credential abuse leads to significant financial and operational damage. Their findings illustrate a clear path from a single compromised container to an organization’s critical financial systems, as detailed in their report.
Case Study: Slow Pisces Targets Cryptocurrency Exchange
A notable real-world incident involved the North Korean state-sponsored threat group known as Slow Pisces, also tracked as Lazarus and TraderTraitor. In mid-2025, this group successfully targeted a cryptocurrency exchange. Their initial access was gained by establishing persistence on a developer’s workstation through a spearphishing campaign.
Leveraging the developer’s active and privileged cloud session, the attackers deployed a malicious pod directly into the production Kubernetes cluster. This pod was specifically designed to expose the mounted service account token – a JSON Web Token (JWT) that Kubernetes automatically provides to pods for authentication with its API server.

The stolen token belonged to a highly privileged management service account, granting broad Role-Based Access Control (RBAC) permissions. With this compromised identity, the threat actor authenticated to the Kubernetes API server, enumerated secrets, interacted with workloads across multiple namespaces, and ultimately injected a backdoor into a production pod to maintain persistent access. This incident vividly illustrates how a single misconfigured token can provide an attacker with extensive control over an entire cluster, as outlined in the report.
From Cluster to Cloud: Token Theft in Action
The attack did not conclude at the Kubernetes cluster boundary. Utilizing the elevated privileges associated with the stolen token, the threat actor successfully moved laterally from Kubernetes into the broader cloud platform. They accessed backend systems, exfiltrated sensitive credentials, and ultimately reached the exchange’s financial infrastructure, resulting in the theft of millions in cryptocurrency.
This attack vector aligns with the post-exploitation workflow demonstrated by Peirates, an open-source penetration testing framework. Peirates illustrates how stolen tokens can be used to enumerate secrets, pivot across namespaces, and query cloud metadata services to achieve deeper compromise.

Another significant incident involved the critical vulnerability CVE-2025-55182, dubbed React2Shell, found in React Server Components. Publicly disclosed on December 3, 2025, active exploitation targeting cloud services began within two days. Attackers leveraged insecure deserialization within the React Server Components flight protocol to execute code inside application containers. From this foothold, they harvested service account tokens, queried the Kubernetes API, and collected cloud credentials from environment variables. This allowed them to pivot into the cloud account, where they installed backdoors and deployed cryptominers.
What You Should Do
- Enforce Least Privilege with RBAC: Implement strict Role-Based Access Control (RBAC) policies, avoiding the use of wildcard permissions across service account roles to minimize the potential impact of a compromised account.
- Utilize Short-Lived Tokens: Replace long-lived static tokens with short-lived, projected service account tokens that automatically expire. This significantly reduces the window of opportunity and value of any stolen credentials.
- Implement Runtime Monitoring: Deploy runtime monitoring tools that can detect and flag unusual process execution, unexpected outbound connections, and unauthorized access to sensitive system paths within containers. This can halt malicious activity before it escalates to the cloud layer.
- Enable and Review Kubernetes Audit Logs: Ensure Kubernetes audit logs are always enabled and regularly reviewed. These logs capture crucial early indicators of API misuse, token access, and lateral movement across namespaces, providing vital forensic data for incident response.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.