Hacking Kubernetes: Live Demo Marathon

It starts with one malicious NPM package and ends with cloud account takeover. This live demo shows the entire attack path.

#1about 8 minutes

Understanding the Kubernetes threat landscape and adversaries

Threat modeling helps build appropriate security controls by identifying potential adversaries, from script kiddies to organized crime.

#2about 3 minutes

Demonstrating a supply chain attack using NPM hooks

A malicious NPM package can use a preinstall hook to execute arbitrary code and exfiltrate sensitive files like SSH or cloud keys from a developer's machine.

#3about 12 minutes

Gaining a reverse shell through pod misconfigurations

An attacker can gain a reverse shell and break out of a container by exploiting pod misconfigurations like privileged mode and sharing the host PID namespace.

#4about 9 minutes

Executing a container breakout using the Dirty Pipe vulnerability

The Dirty Pipe vulnerability allows an unprivileged user to overwrite root-owned files, enabling a container breakout by patching the runc binary in memory.

#5about 7 minutes

Pivoting post-breakout to steal secrets from other pods

After gaining root on a node, an attacker can pivot by enumerating the host filesystem to find and steal secrets mounted into other pods running on the same node.

#6about 5 minutes

Using canary tokens as a last line of defense

Embedding canary tokens, which are credentials with no permissions, provides a tripwire that triggers an intrusion detection alert when an attacker attempts to use them.