Protecting Kubernetes from Ransomware Threats

A historic number of companies worldwide are flocking to the cloud as they adapt to this long-term remote work movement. Many are also adopting Kubernetes as their default container orchestration tool. Its portability, flexibility and multi-cloud capabilities have caused the open source container orchestration platform to explode in popularity. Data released by The Cloud Native Computing Foundation last year shows that of 84% of companies using containers in production, an overwhelming 78% were using Kubernetes. 

IT executives have jumped at the chance to leverage Kubernetes’ benefits. But so have crafty cyberattackers who, like top business decision-makers, are responsible for monitoring the market for opportunities that make financial sense. The recent wave of attacks against organizations’ cloud environments is an excellent example of this, as cybercriminals seek to take advantage of the mass shift to the cloud to steal critical company data through security gaps. Research conducted by IDC found that a whopping 98% of all companies experienced a cloud data breach within the past 18 months, a 19% increase from just a year ago. Meanwhile, recent research from Wanclouds found that one in three AWS organizations lost data in the last year due to downtime incidents including those caused by cyberattacks. 

And now, as more companies deploy containers, similar risks are presenting themselves. Money-hungry cybercriminals increasingly threaten to target Kubernetes as a potential breach point to access a network, take it hostage and demand large ransomware payouts. As a result, the security of Kubernetes has never been more critical. As the costs of these attacks skyrocket, every organization must boost their Kubernetes security hygiene. Here’s how. 

Move Beyond a Backup-Only Strategy 

Kubernetes is known to have strict security protocols that help block access to components outside of a cluster. But it certainly isn’t unbreachable. Just a few years ago, hackers could hijack Tesla’s Kubernetes console to perform cryptomining and even access the company’s AWS environment credentials. More recently, researchers detected a series of attacks against Kubernetes clusters via misconfigured Argo Workflows instances. Hackers were able to access an open Argo dashboard and submit their own workflow. 

Yet, many businesses are under the false impression that backup is the only security needed to protect Kubernetes. This belief could render organizations even more vulnerable in this worsening cybersecurity crisis, with Kubernetes very much in the crosshairs of cyberattackers looking for ways to infiltrate businesses and steal their data. 

The truth is, ransomware gangs are continuously upgrading their breach methods in ways that make detection harder than ever. And many of the same vulnerabilities that make organizations broadly vulnerable to ransomware attacks also make containers and clusters vulnerable. This includes misconfigurations, missing container replacements and backup gaps. As a result, enterprises must adopt more hardened security protocols to have a realistic chance of fighting off attack attempts before they have an opportunity to infiltrate. 

Shift to a Proactive Cybersecurity Approach 

The urgency around moving beyond a backup-only approach to a more proactive cybersecurity strategy is something even the Cybersecurity and Infrastructure Security Agency (CISA) has explored in great detail. Since the pandemic began, CISA has been under immense pressure to thwart rising ransomware and state-sponsored attack threats. CISA has made sure to emphasize how grave the risk is to Kubernetes, especially in light of an increasing number of damaging supply chain attacks.

Malicious threat actors capable of exploiting vulnerabilities and misconfigurations in components of the Kubernetes architecture also pose risks. In addition, there are threats from those with special access to their organization’s clusters that may abuse such privileges. To mitigate attacks from these risk vectors, CISA recommends several proactive and hardened security measures, including:

  • Regularly scanning containers and pods for vulnerabilities
  • Running containers and pods with the least amount of privileges possible
  • Using network separation to control the amount of damage a compromise can cause
  • Using firewalls to limit unneeded network connectivity
  • Using encryption to protect confidentiality
  • Periodically reviewing all Kubernetes settings
  • Using vulnerability scans to help ensure risks are appropriately accounted for
  • Making sure security patches are applied in a timely fashion

These are just a few proactive measures that organizations should be taking, however. CISA also advises that organizations use strong authentication and authorization to limit user and administrator access and limit the attack surface and set up log auditing so that they can monitor activity and be alerted to potential malicious activity. These recommendations are very much in line with the Biden administration’s plans to push all federal agencies toward a zero-trust architecture. This framework requires organizations to assume that anyone is a potential intruder until they’re verified. 

Whether or not zero-trust is an approach that organizations are willing to adopt, the fact remains that proactive cybersecurity has inherent security advantages and, quite frankly, is the only way to stop ransomware gangs from inflicting critical damage.

Educate Staff on Ransomware Risks

The reality is, taking a lax or reactive stance on Kubernetes security is something businesses cannot afford. The more cloud-reliant organizations become in this new hybrid work era, the more determined cybercriminals will be to find ways to compromise those cloud environments. Therefore, it’s vital that organizations take the time to educate employees outside of IT on the threats to their business data, how to mitigate these risks and what precautions they should take to fend off breach attempts. 

This is especially true in today’s landscape, where foreign adversaries elevate their game against U.S. agencies and businesses. The SolarWinds hack, part of a Russian cyberespionage campaign, is an excellent example of this. It was largely successful because the hackers were able to move laterally through its target’s systems by compromising cloud and local network identity systems to access cloud accounts pilfer emails and files. 

The threat of ransomware is rapidly growing as are the consequences of falling victim to an attack. It’s therefore imperative that organizations protect Kubernetes at all costs alongside improving their overall business resilience. Of course, cyberattackers have made sure that this is no easy feat. But with a proactive security approach and an educated workforce, alongside an effective disaster recovery and backup plan to ensure zero downtime, enterprises can successfully stop attack attempts in their tracks and ensure the security of their Kubernetes infrastructure.

Faiz Khan

Faiz Khan is founder and CEO at Wanclouds.

Faiz Khan has 2 posts and counting. See all posts by Faiz Khan