New Module and type: Kubernetes

Today is a special day for us at BinaryEdge. We are celebrating our graduation from the Cylon cybersecurity accelerator and with that we decided to release a new feature.

We're happy to announce a new module and data type on our platform. Kubernetes.

(The numbers shown on this blogpost are only of a sample of the data, please check the platform over the next few hours and days for more data while it is being imported)

SaaS and Enterprise clients can now go into the portal and in the hosts tab use the following queries:

type:kubernetes

k8s-auth

This query will show all kubernetes found, those with authentication and without.

But what if we want to take a look at just those that had no authentication at all ?

type:kubernetes AND kubernetes.auth_required:false

k8s-no-auth

With this query you can see the list of pods the cluster is hosting.

This module will now be used on 4 ports across the entire IPv4: 443, 6443, 8443,8080.

As an enterprise client you will see these on the realtime firehose with the events containing a lot of information about the cluster. For more on this you can see the documentation here

What if I want to find cryptominers?

Essentially what we see is that there are multiple "miner" images being loaded. One example of this as mentioned on this blogpost

To look for this on the BinaryEdge platform

type:kubernetes AND kubernetes.auth_required:false y1ee115

k8s-miners

Why kubernetes?

Out of all the technologies we have been looking into, that we don't have modules for, kubernetes is at the top in terms of growth of use. We've reported to multiple F100 companies about their exposed clusters, we have seen clusters being infected with cryptomining bots.

What about the secrets?

For those of you that don't know, kubernetes clusters have a part called "secrets" these are essentially where usernames, passwords, tokens get saved to be used by the pods. We've decided not to publish this data as it wouldn't help anyone improve their security. The data shown is enough for clients to identify their exposure and fix their systems.

Acknowledgement

We would like to thank Random Robbie for helping us in the creation of this module. He has been doing amazing work reporting Kubernetes clusters on bug bounty platforms to companies and was a huge asset when working alongside us on building this module.

Uncategorized