|
Resource Hijacking: Compute Hijacking - EKS
AWS Specific Sub-Technique
Other sub-techniques of Resource Hijacking (9)
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained access to a running container within an Amazon EKS cluster or has obtained Kubernetes API credentials with permissions to create or modify workloads.
Threat actors may deploy cryptomining containers within a compromised EKS cluster to hijack compute resources. After gaining initial access through an application-layer vulnerability, the threat actor escalates privileges within the cluster typically by accessing overly permissive service account tokens or creating new cluster role bindings and then deploys pods running cryptomining software.
Threat actors may also modify cluster configuration using mutating admission webhooks, which can inject additional containers or environment variables into pods at admission time, so that newly created pods are compromised at startup. This establishes persistence that survives individual container restarts. The cost of the compute resources is attributed to the compromised account.
This technique is related to the existing Compute Hijacking - ECS (T1496.A006) and Compute Hijacking - EC2 Use (T1496.A008) techniques. The distinction is that EKS compute hijacking involves Kubernetes-specific escalation paths RBAC abuse, cluster role bindings, webhook manipulation that are not present in EC2 or ECS hijacking scenarios.
Detection
AWS Specific Content
Amazon EKS control plane audit logs will show create operations on pods, deployments, or daemonsets by unexpected service accounts or principals. Monitor for pod creation with resource requests for high CPU or GPU allocations, particularly in namespaces not typically used for compute-intensive workloads.
If Amazon GuardDuty is configured with EKS Protection, findings such as CryptoCurrency:EC2/BitcoinTool.B!DNS (DNS queries to cryptocurrency mining pools from EKS nodes) and Impact:Kubernetes/MaliciousIPCaller.Custom may be generated. GuardDuty EKS Runtime Monitoring can detect cryptomining processes running within containers.
To confirm whether a threat actor is expanding compute capacity for mining, monitor for
eks:CreateNodegroup and eks:UpdateNodegroupConfig calls that scale up node groups with unusually large instance types. Correlating these API calls with runtime process data from GuardDuty EKS Runtime Monitoring provides a stronger signal than API calls alone.Mitigation
AWS Specific Content
Enforce Pod Security Standards with the restricted profile by applying the label
pod-security.kubernetes.io/enforce: restricted to namespace metadata. The Kubernetes API server will reject pods that do not meet the restricted profile at admission time, preventing privileged containers and host access.Restrict pod creation permissions using RBAC. Principals that do not need to create pods should not have that permission. A principal with unrestricted pod creation can deploy a privileged pod with a hostPath volume mount, effectively gaining root access to the underlying node.
Implement resource quotas and limit ranges on namespaces to cap CPU and memory consumption per pod and per namespace.
Apply least-privilege RBAC policies. Avoid granting cluster-admin to workload service accounts and restrict access to
mutatingwebhookconfigurations and validatingwebhookconfigurations to only cluster administrators.Enable Amazon GuardDuty with EKS Protection and EKS Runtime Monitoring to detect cryptomining activity. Enable EKS control plane logging (all four log types) to provide visibility into Kubernetes API activity for investigation.