Prepare to Be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 7, 2019, 9:30 a.m. (30 minutes)

How are Kubernetes cluster’s being compromised in the wild? Come to this talk to find out! There aren’t a whole lot of public reports on successful attacks against Kubernetes clusters, so I plan to demystify how these occur. In this talk, I will walk through the compromise of a Kubernetes honeypot. (You will be surprised at how long it took!). Next, I expand this research to survey other Kubernetes clusters for signs of similar compromise. I will share research on how hundreds of other clusters have been compromised from multiple threat actors. Join me for a tale of Kubernetes, plunder, and cryptobooty.

Presenters:

• James Condon
  James Condon is Director of Research at Lacework. James is a security veteran with over 10 years of experience in incident response, intelligence analysis, and automated threat detection. James was previously Director of Threat Research at ProtectWise (acquired by Verizon), an Incident Analyst for Mandiant, and a Special Agent in USAF OSI.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Prepare to Be Boarded A Tale of Kubernetes Plunder and Cryptobooty James Condon.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Prepare to Be Boarded A Tale of Kubernetes Plunder and Cryptobooty James Condon.eng.srt (subtitles)
• https://www.youtube.com/watch?v=BwxyU2DLKiE

Similar Presentations:

• Canterbury Hacker Camp (2022) / Attack on Kubernetes
• HushCon Seattle 2019 / Down the sinkhole with kubernetes
• ToorCon San Diego 20 (2018) / Hacking and Hardening Kubernetes