Kubernetes RBAC Misconfigurations Exploited in Coordinated Cry...

Executive Summary

Aqua Security tracked a campaign compromising 2,000+ Kubernetes clusters via RBAC misconfigurations. No software vulnerability—just overprivileged service accounts granting cluster-admin access.

Technical Analysis

Attackers create backup service accounts with admin roles for persistence. Miners limit to 30% CPU during business hours and ramp up at night. Custom mining pool proxy obscures traffic. Generating ~$500K/month.

Remediation

Audit RBAC configurations. Never bind cluster-admin to default service accounts. Use namespace-scoped permissions. Check: kubectl auth can-i --list --as=system:serviceaccount:default:default