Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Home/Threats/Kubernetes Misconfigurations Let Attackers Access Cloud Accounts
Threats

Kubernetes Misconfigurations Let Attackers Access Cloud Accounts

Key Takeaways Attackers are increasingly exploiting misconfigured Kubernetes clusters to breach cloud environments. Telemetry data shows a 282% increase in Kubernetes-related threat operations,...

David kimber
David kimber
April 7, 2026 4 Min Read
37 0

Key Takeaways

  • Attackers are increasingly exploiting misconfigured Kubernetes clusters to breach cloud environments.
  • Telemetry data shows a 282% increase in Kubernetes-related threat operations, including service account token theft, over the past year.
  • North Korean state-sponsored group Slow Pisces (Lazarus/TraderTraitor) leveraged a stolen Kubernetes service account token to steal millions from a cryptocurrency exchange.
  • The attack chain typically involves gaining container code execution, stealing service account tokens, and using them to pivot into the broader cloud infrastructure.
  • Defenders must implement strict RBAC, use short-lived tokens, and deploy robust runtime monitoring and audit log analysis to mitigate these threats.

Attackers Leverage Kubernetes Misconfigurations for Cloud Account Breaches

Kubernetes, a foundational platform for managing containerized applications across enterprises, is increasingly becoming a target for sophisticated threat actors. These adversaries are actively exploiting misconfigurations within Kubernetes clusters to break out of individual containers and gain unauthorized access to the underlying cloud accounts.

Table Of Content

  • Key Takeaways
  • Attackers Leverage Kubernetes Misconfigurations for Cloud Account Breaches
  • From Container to Cloud: A Calculated Escalation
  • Case Study: Slow Pisces Targets Cryptocurrency Exchange
  • From Cluster to Cloud: Token Theft in Action
  • What You Should Do

Recent telemetry data highlights a significant surge in malicious activity targeting Kubernetes. Over the past year, Kubernetes-related threat operations, particularly those involving service account token theft, have escalated by 282%. The information technology sector bore the brunt of these attacks, accounting for over 78% of all observed incidents, according to a recent report.

From Container to Cloud: A Calculated Escalation

These attacks are not opportunistic but rather highly calculated. Adversaries are moving beyond simple container escapes, instead focusing on abusing weak identity configurations and overly permissive access controls. This allows them to establish an initial foothold and then systematically pivot into core cloud infrastructure.

Analysis of cloud environments in 2025 revealed that approximately 22% exhibited suspicious activity directly linked to service account token theft. The attack methodology typically follows a consistent pattern: achieve code execution within a container, extract mounted credentials, enumerate API permissions, and then pivot towards more valuable cloud resources. Researchers at Unit 42 identified this escalating threat through real-world intrusion cases, demonstrating how the combination of Kubernetes misconfigurations and cloud credential abuse leads to significant financial and operational damage. Their findings illustrate a clear path from a single compromised container to an organization’s critical financial systems, as detailed in their report.

Case Study: Slow Pisces Targets Cryptocurrency Exchange

A notable real-world incident involved the North Korean state-sponsored threat group known as Slow Pisces, also tracked as Lazarus and TraderTraitor. In mid-2025, this group successfully targeted a cryptocurrency exchange. Their initial access was gained by establishing persistence on a developer’s workstation through a spearphishing campaign.

Leveraging the developer’s active and privileged cloud session, the attackers deployed a malicious pod directly into the production Kubernetes cluster. This pod was specifically designed to expose the mounted service account token – a JSON Web Token (JWT) that Kubernetes automatically provides to pods for authentication with its API server.

Cryptocurrency Incident Flow with Kubernetes Compromise (Source - Unit42)
Cryptocurrency Incident Flow with Kubernetes Compromise (Source – Unit42)

The stolen token belonged to a highly privileged management service account, granting broad Role-Based Access Control (RBAC) permissions. With this compromised identity, the threat actor authenticated to the Kubernetes API server, enumerated secrets, interacted with workloads across multiple namespaces, and ultimately injected a backdoor into a production pod to maintain persistent access. This incident vividly illustrates how a single misconfigured token can provide an attacker with extensive control over an entire cluster, as outlined in the report.

From Cluster to Cloud: Token Theft in Action

The attack did not conclude at the Kubernetes cluster boundary. Utilizing the elevated privileges associated with the stolen token, the threat actor successfully moved laterally from Kubernetes into the broader cloud platform. They accessed backend systems, exfiltrated sensitive credentials, and ultimately reached the exchange’s financial infrastructure, resulting in the theft of millions in cryptocurrency.

This attack vector aligns with the post-exploitation workflow demonstrated by Peirates, an open-source penetration testing framework. Peirates illustrates how stolen tokens can be used to enumerate secrets, pivot across namespaces, and query cloud metadata services to achieve deeper compromise.

Sample Peirates Menu Showing Available Post-Exploitation Techniques (Source - Unit42)
Sample Peirates Menu Showing Available Post-Exploitation Techniques (Source – Unit42)

Another significant incident involved the critical vulnerability CVE-2025-55182, dubbed React2Shell, found in React Server Components. Publicly disclosed on December 3, 2025, active exploitation targeting cloud services began within two days. Attackers leveraged insecure deserialization within the React Server Components flight protocol to execute code inside application containers. From this foothold, they harvested service account tokens, queried the Kubernetes API, and collected cloud credentials from environment variables. This allowed them to pivot into the cloud account, where they installed backdoors and deployed cryptominers.

What You Should Do

  • Enforce Least Privilege with RBAC: Implement strict Role-Based Access Control (RBAC) policies, avoiding the use of wildcard permissions across service account roles to minimize the potential impact of a compromised account.
  • Utilize Short-Lived Tokens: Replace long-lived static tokens with short-lived, projected service account tokens that automatically expire. This significantly reduces the window of opportunity and value of any stolen credentials.
  • Implement Runtime Monitoring: Deploy runtime monitoring tools that can detect and flag unusual process execution, unexpected outbound connections, and unauthorized access to sensitive system paths within containers. This can halt malicious activity before it escalates to the cloud layer.
  • Enable and Review Kubernetes Audit Logs: Ensure Kubernetes audit logs are always enabled and regularly reviewed. These logs capture crucial early indicators of API misuse, token access, and lateral movement across namespaces, providing vital forensic data for incident response.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerphishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Fake npm Package Steals Tokens From AI Tools Claude, Cursor

Next Post

New BPFDoor Linux Backdoor Variants Use Stateless C2 to Evade Detection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us