TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

Understanding Current Threats to Kubernetes Environments

Eyal Rafian and Bill Batchelor · 2026-04-06 · Read original ↗

ATT&CK techniques detected

65 predictions
T1190Exploit Public-Facing Application
99%
“##2shell, cve - 2025 - 55182 another high - profile exploitation of the kubernetes - to - cloud attack surface was the recent react2shell vulnerability. this incident reveals how a single application - layer exploit can result in cluster compromise, cloud account exposure and dir…”
T1190Exploit Public-Facing Application
97%
“##cycle. t1190 exploit public - facing application exploiting vulnerabilities such as react2shell allows threat actors to bypass authentication and execute code directly inside an application container, establishing initial access within the cluster without requiring credentials …”
T1552.007Container API
97%
“network context, and mounted identities. such access effectively eliminates the boundary between an exposed web application and the cluster itself. unit 42 coverage of react2shell shows that various threat groups used this pod runtime access to rapidly extract value from compromi…”
T1528Steal Application Access Token
95%
“token use by issuing short - lived, projected service account tokens. by binding tokens to a pod ’ s lifetime and limiting their validity window, teams significantly reduce the value of token theft. threat actors who steal projected tokens gain only brief, narrowly - scoped acces…”
T1552.007Container API
95%
“##2shell exploitation attempt that we observed. in this example, the threat actor attempted to retrieve and execute a generic dropper script to deliver second - stage payloads. this pattern of exploit and follow - on activity is used as the initial access vector that enables subs…”
T1190Exploit Public-Facing Application
95%
“environment variable exfiltration that is consistent with the cloud and kubernetes intrusions that we observed during this event, as noted in figure 2. figure 3 shows an example of an attempt observed by unit 42 to download, execute and subsequently delete a backdoor masquerading…”
T1552.007Container API
94%
“operations. in both operations, slow pisces leveraged stolen cloud identity tokens to assume administrative roles, enabling direct control over smart contract logic and hot - wallet scripts. from one exchange to another in mid - 2025, we observed a sophisticated intrusion at anot…”
T1613Container and Resource Discovery
93%
“enables threat actors to read sensitive files directly from the node filesystem, including credentials and configuration data. - off - menu general - purpose post - exploitation utilities. allows threat actors to run arbitrary kubectl commands across multiple authorization contex…”
T1552.007Container API
93%
“2025 and early 2026 shows that this technique is increasingly used for automated threat actor credential harvesting. the alert data reflecting this activity is detailed in appendix a. modern malware frameworks now perform environment harvesting at execution time to specifically h…”
T1190Exploit Public-Facing Application
93%
“- react2shell ( cve - 2025 - 55182 ) : attacks targeting cloud services were observed within two days of the public disclosure of this critical vulnerability. we provide a breakdown of how threat actors exploited this public - facing application vulnerability to execute commands …”
T1528Steal Application Access Token
92%
“access token. the command reads the token from the pod ’ s filesystem and exfiltrates it to a remote command and control ( c2 ) server. the token is embedded inside an http header to make the traffic look like a normal authenticated request, as shown below in figure 7. by exfiltr…”
T1552.007Container API
92%
“token use by issuing short - lived, projected service account tokens. by binding tokens to a pod ’ s lifetime and limiting their validity window, teams significantly reduce the value of token theft. threat actors who steal projected tokens gain only brief, narrowly - scoped acces…”
T1552.007Container API
92%
“access token. the command reads the token from the pod ’ s filesystem and exfiltrates it to a remote command and control ( c2 ) server. the token is embedded inside an http header to make the traffic look like a normal authenticated request, as shown below in figure 7. by exfiltr…”
T1613Container and Resource Discovery
90%
“peirates. these frameworks depend on overly permissive configurations and limited runtime visibility to rapidly enumerate privileges, steal credentials, and escalate access after initial compromise. detection hinges on visibility – especially into kubernetes audit logs – for iden…”
T1552.007Container API
89%
“understanding current threats to kubernetes environments executive summary the rapid adoption of container orchestration has positioned kubernetes as a high - value target for adversaries seeking to compromise enterprise - scale environments. our telemetry reveals that kubernetes…”
T1610Deploy Container
89%
“ic3 ) - pod security standards – kubernetes - understanding the threat landscape for kubernetes and containerized assets | microsoft security blog – microsoft security - exploit public - facing application, technique t1190 - enterprise – mitre att & ck® - steal application access…”
T1552.007Container API
87%
“to evade detection while it drains secrets. from here, the threat actor ' s escalation path becomes clear. they move from compromising a pod and stealing the token to using the stolen identity for broader control of the cluster ' s most critical assets. as the crypto and react2sh…”
T1552.007Container API
86%
“##bernetes post ‑ exploitation research. the retrieved token belonged to a high - privileged management service account with broad rbac permissions, used by a common ci / cd automation and cluster orchestration system. with this overly permissive identity, the threat actor authen…”
T1610Deploy Container
85%
“##0d32f67e10d161f831138e10958dcd88b9dc97038948f69 teampcp proxy. sh - 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0 teampcp kube. py - bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d additional resources - bitopro statement & progress update : …”
T1003OS Credential Dumping
82%
“february 2025 bybit heist. attackers stole approximately $ 1. 5 billion in ethereum ( eth ), making this the largest digital theft in history. the tactics employed in this breach closely mirror identity - scraping techniques that are used to penetrate and pivot within cloud - nat…”
T1613Container and Resource Discovery
77%
“containerized environments, allowing for the identification and alerting of vulnerabilities and misconfigurations. the cortex cloud agent can provide remediation tasks for identified base level container images. - cortex cloud uses the known exploited vulnerabilities ( kev ) modu…”
T1528Steal Application Access Token
76%
“understanding current threats to kubernetes environments executive summary the rapid adoption of container orchestration has positioned kubernetes as a high - value target for adversaries seeking to compromise enterprise - scale environments. our telemetry reveals that kubernetes…”
T1059.013Container CLI/API
75%
“##0d32f67e10d161f831138e10958dcd88b9dc97038948f69 teampcp proxy. sh - 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0 teampcp kube. py - bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d additional resources - bitopro statement & progress update : …”
T1613Container and Resource Discovery
74%
“##0d32f67e10d161f831138e10958dcd88b9dc97038948f69 teampcp proxy. sh - 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0 teampcp kube. py - bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d additional resources - bitopro statement & progress update : …”
T1610Deploy Container
73%
“scale. it provides automated deployment, service discovery and workload isolation across cloud environments. like many open - source systems, kubernetes is also a high - value attack surface that threat actors attempt to exploit in a variety of ways. - public - facing workloads t…”
T1528Steal Application Access Token
73%
“operations. in both operations, slow pisces leveraged stolen cloud identity tokens to assume administrative roles, enabling direct control over smart contract logic and hot - wallet scripts. from one exchange to another in mid - 2025, we observed a sophisticated intrusion at anot…”
T1613Container and Resource Discovery
71%
“validated settings, deep runtime visibility, and strictly limited permissions. these approaches help to transform kubernetes from a potential exposure point into a highly resilient and defensible platform. palo alto networks customers are better protected from the threats describ…”
T1528Steal Application Access Token
70%
“##bernetes post ‑ exploitation research. the retrieved token belonged to a high - privileged management service account with broad rbac permissions, used by a common ci / cd automation and cluster orchestration system. with this overly permissive identity, the threat actor authen…”
T1059.013Container CLI/API
63%
“these actions leaves a distinct trace in the audit logs, indicating changes to kubernetes resources, unexpected api verbs, or identities performing operations outside their normal behavior. monitoring identity - driven changes and the creation of suspicious resources allows defen…”
T1190Exploit Public-Facing Application
62%
“execution time, rather than what they were intended to do upon deployment. commercial workload protection and xdr platforms enable this visibility. these tools detect when a workload spawns unexpected shells or utilities, exhibits sustained high cpu usage consistent with cryptomi…”
T1528Steal Application Access Token
61%
“environment variables and cloud metadata to pivot across aws, gcp and azure. with access to the pod, the threat actor – or their automated implant – reads the token and tests what it can do. the token could belong to a low ‑ privileged workload, but in many real ‑ world attacks, …”
T1610Deploy Container
60%
“these actions leaves a distinct trace in the audit logs, indicating changes to kubernetes resources, unexpected api verbs, or identities performing operations outside their normal behavior. monitoring identity - driven changes and the creation of suspicious resources allows defen…”
T1525Implant Internal Image
60%
“environment variables and cloud metadata to pivot across aws, gcp and azure. with access to the pod, the threat actor – or their automated implant – reads the token and tests what it can do. the token could belong to a low ‑ privileged workload, but in many real ‑ world attacks, …”
T1059.013Container CLI/API
58%
“ic3 ) - pod security standards – kubernetes - understanding the threat landscape for kubernetes and containerized assets | microsoft security blog – microsoft security - exploit public - facing application, technique t1190 - enterprise – mitre att & ck® - steal application access…”
T1613Container and Resource Discovery
54%
“function : - namespaces, service accounts and roles identity and context discovery techniques to enumerate namespaces, pods, and service accounts, switch execution contexts, and test alternative authentication methods, including assumed identity and access management ( iam ) role…”
T1613Container and Resource Discovery
52%
“to evade detection while it drains secrets. from here, the threat actor ' s escalation path becomes clear. they move from compromising a pod and stealing the token to using the stolen identity for broader control of the cluster ' s most critical assets. as the crypto and react2sh…”
T1059.013Container CLI/API
50%
“##bernetes post ‑ exploitation research. the retrieved token belonged to a high - privileged management service account with broad rbac permissions, used by a common ci / cd automation and cluster orchestration system. with this overly permissive identity, the threat actor authen…”
T1552.007Container API
49%
“function : - namespaces, service accounts and roles identity and context discovery techniques to enumerate namespaces, pods, and service accounts, switch execution contexts, and test alternative authentication methods, including assumed identity and access management ( iam ) role…”
T1528Steal Application Access Token
48%
“##2shell exploitation attempt that we observed. in this example, the threat actor attempted to retrieve and execute a generic dropper script to deliver second - stage payloads. this pattern of exploit and follow - on activity is used as the initial access vector that enables subs…”
T1528Steal Application Access Token
47%
“february 2025 bybit heist. attackers stole approximately $ 1. 5 billion in ethereum ( eth ), making this the largest digital theft in history. the tactics employed in this breach closely mirror identity - scraping techniques that are used to penetrate and pivot within cloud - nat…”
T1610Deploy Container
46%
“##bernetes post ‑ exploitation research. the retrieved token belonged to a high - privileged management service account with broad rbac permissions, used by a common ci / cd automation and cluster orchestration system. with this overly permissive identity, the threat actor authen…”
T1059.013Container CLI/API
45%
“function : - namespaces, service accounts and roles identity and context discovery techniques to enumerate namespaces, pods, and service accounts, switch execution contexts, and test alternative authentication methods, including assumed identity and access management ( iam ) role…”
T1059.013Container CLI/API
45%
“enables threat actors to read sensitive files directly from the node filesystem, including credentials and configuration data. - off - menu general - purpose post - exploitation utilities. allows threat actors to run arbitrary kubectl commands across multiple authorization contex…”
T1528Steal Application Access Token
42%
“- value workloads or cloud services when these operations are combined, even small misconfigurations – overly permissive tokens, exposed apis, or insufficient workload and namespace isolation – could enable threat actors to gain full cluster administrator privileges by leveraging…”
T1059.013Container CLI/API
42%
“scale. it provides automated deployment, service discovery and workload isolation across cloud environments. like many open - source systems, kubernetes is also a high - value attack surface that threat actors attempt to exploit in a variety of ways. - public - facing workloads t…”
T1613Container and Resource Discovery
41%
“these actions leaves a distinct trace in the audit logs, indicating changes to kubernetes resources, unexpected api verbs, or identities performing operations outside their normal behavior. monitoring identity - driven changes and the creation of suspicious resources allows defen…”
T1613Container and Resource Discovery
41%
“##rrelate suspicious patterns, security teams can detect these techniques early and disrupt the threat actor ’ s progression before meaningful damage occurs. the goal isn ’ t just to spot a single command ; it ’ s to understand the sequence, the intent and the identity behind it.…”
T1552.007Container API
40%
“these actions leaves a distinct trace in the audit logs, indicating changes to kubernetes resources, unexpected api verbs, or identities performing operations outside their normal behavior. monitoring identity - driven changes and the creation of suspicious resources allows defen…”
T1525Implant Internal Image
40%
“throughout their cloud environment and on kubernetes hosts. cortex cloud ’ s runtime security operations include collection, analysis, detection, alerting and prevention of malicious operations on cloud platforms and saas application audit logs. using behavioral and static alerti…”
T1613Container and Resource Discovery
39%
“##bernetes post ‑ exploitation research. the retrieved token belonged to a high - privileged management service account with broad rbac permissions, used by a common ci / cd automation and cluster orchestration system. with this overly permissive identity, the threat actor authen…”
T1552.007Container API
39%
“enables threat actors to read sensitive files directly from the node filesystem, including credentials and configuration data. - off - menu general - purpose post - exploitation utilities. allows threat actors to run arbitrary kubectl commands across multiple authorization contex…”
T1613Container and Resource Discovery
37%
“scale. it provides automated deployment, service discovery and workload isolation across cloud environments. like many open - source systems, kubernetes is also a high - value attack surface that threat actors attempt to exploit in a variety of ways. - public - facing workloads t…”
T1059.013Container CLI/API
36%
“access token. the command reads the token from the pod ’ s filesystem and exfiltrates it to a remote command and control ( c2 ) server. the token is embedded inside an http header to make the traffic look like a normal authenticated request, as shown below in figure 7. by exfiltr…”
T1610Deploy Container
36%
“function : - namespaces, service accounts and roles identity and context discovery techniques to enumerate namespaces, pods, and service accounts, switch execution contexts, and test alternative authentication methods, including assumed identity and access management ( iam ) role…”
T1611Escape to Host
36%
“scale. it provides automated deployment, service discovery and workload isolation across cloud environments. like many open - source systems, kubernetes is also a high - value attack surface that threat actors attempt to exploit in a variety of ways. - public - facing workloads t…”
T1528Steal Application Access Token
35%
“##gard : new teamtnt cryptojacking malware targeting kubernetes – unit 42, palo alto networks - managing permissions with kubernetes rbac – unit 42, palo alto networks - mitigating rbac - based privilege escalation in popular kubernetes platforms – unit 42, palo alto networks - r…”
T1610Deploy Container
35%
“##try. the example shows an alert triggered by token ‑ access behavior inside a compromised pod misused by peirates. for more information on detection capabilities for kubernetes - related techniques, please see appendix b. practical kubernetes configurations for security teams e…”
T1613Container and Resource Discovery
34%
“ic3 ) - pod security standards – kubernetes - understanding the threat landscape for kubernetes and containerized assets | microsoft security blog – microsoft security - exploit public - facing application, technique t1190 - enterprise – mitre att & ck® - steal application access…”
T1552.007Container API
33%
“- value workloads or cloud services when these operations are combined, even small misconfigurations – overly permissive tokens, exposed apis, or insufficient workload and namespace isolation – could enable threat actors to gain full cluster administrator privileges by leveraging…”
T1078.001Default Accounts
33%
“of an intrusion. kubernetes audit logs provide a record of api activity inside a cluster, capturing every request to the api server and its outcome. this makes them essential for understanding how a threat actor gained access, what they interacted with and how far they moved. bec…”
T1195.001Compromise Software Dependencies and Development Tools
33%
“environment variable exfiltration that is consistent with the cloud and kubernetes intrusions that we observed during this event, as noted in figure 2. figure 3 shows an example of an attempt observed by unit 42 to download, execute and subsequently delete a backdoor masquerading…”
T1613Container and Resource Discovery
32%
“##try. the example shows an alert triggered by token ‑ access behavior inside a compromised pod misused by peirates. for more information on detection capabilities for kubernetes - related techniques, please see appendix b. practical kubernetes configurations for security teams e…”
T1525Implant Internal Image
32%
“compromised application from escalating into full cluster control. defenders enforce this principle by tightly controlling application actions through rbac and constraining runtime behavior with pod security standards ( pss ). broad rbac permissions and permissive pod settings ma…”
T1613Container and Resource Discovery
31%
“network context, and mounted identities. such access effectively eliminates the boundary between an exposed web application and the cluster itself. unit 42 coverage of react2shell shows that various threat groups used this pod runtime access to rapidly extract value from compromi…”
T1613Container and Resource Discovery
30%
“compromised application from escalating into full cluster control. defenders enforce this principle by tightly controlling application actions through rbac and constraining runtime behavior with pod security standards ( pss ). broad rbac permissions and permissive pod settings ma…”

Summary

Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments.

The post Understanding Current Threats to Kubernetes Environments appeared first on Unit 42.