+
+
+
Kubernetes Network Security Audit Report
+
+
+
+ Cluster: AWS EKS (us-east-1) •
+ Namespace: k8s-mule •
+ Date: 2026-05-18 12:00 BST
+ Audit window: 10:55 — 12:46 BST (09:55 — 11:46 UTC, ~1h 51m)
+ Snapshot: 9b0d4b2b (228MB, full window)
+
+
+
+
+
+
Executive Summary
+
The k8s-mule namespace is actively compromised with a coordinated, multi-stage attack involving 6 of 21 workloads. The attack chain spans the full MITRE ATT&CK kill chain: C2 communication, cryptomining, systematic K8s API secret enumeration (1MB+ of secrets exfiltrated), data exfiltration to 63+ AWS S3 endpoints, internal port scanning across 20 IPs and 9 service ports, and Redis server reconnaissance.
+
+
+
Threat Summary
+
+
+
+ | # |
+ Severity |
+ Workload |
+ Threat |
+ MITRE ATT&CK |
+
+
+
+
+ | 1 |
+ CRITICAL |
+ update-checker |
+ C2 Command & Control |
+ T1071.001, T1071.004 |
+
+
+ | 2 |
+ CRITICAL |
+ batch-processor |
+ Cryptomining |
+ T1496 |
+
+
+ | 3 |
+ CRITICAL |
+ resource-syncer |
+ K8s API Secret Theft |
+ T1552.007, T1087.004 |
+
+
+ | 4 |
+ CRITICAL |
+ backup-agent |
+ Data Exfiltration to AWS S3 |
+ T1537, T1567.002 |
+
+
+ | 5 |
+ HIGH |
+ network-diagnostics |
+ Internal Port Scanning |
+ T1046 |
+
+
+ | 6 |
+ HIGH |
+ session-manager |
+ Redis Reconnaissance |
+ T1018, T1082 |
+
+
+
+
+
+
+
+
Finding 1: C2 Command & Control CRITICAL
+
+ Workload: update-checker-595b7848c9-z7pxz (10.0.4.153) •
+ MITRE: T1071.001, T1071.004
+
+
+ Evidence:
+ • DNS beaconing: 8 queries to c2-callback.attacker-infra.example.com
+ • C2 data channel: TCP to 146.75.34.132:443 — 2,707 bytes sent, 4,209,120 bytes received (4.0MB)
+ • 25,674 UDP queries to kube-dns — consistent with C2 polling
+ • PCAP: update-checker-c2.pcap (447KB)
+
+
+
+
Finding 2: Cryptomining CRITICAL
+
+ Workload: batch-processor-588784bd54-bf7ws (10.0.56.215) •
+ MITRE: T1496
+
+
+ Evidence:
+ • Mining pool DNS: 4 queries to pool.minexmr.example.com
+ • Stratum protocol: 4 queries to stratum.pool-mining.example.com
+ • Two distinct pools suggest failover configuration
+
+
+
+
Finding 3: K8s API Secret Theft CRITICAL
+
+ Workload: resource-syncer-6b9866fb54-mdjpt (10.0.31.132) •
+ MITRE: T1552.007, T1087.004
+
+
+
Evidence: 93 HTTP GET requests to K8s API (172.20.0.1:443)
+
+
+ | GET /api/v1/secrets?limit=500 |
+ 12x |
+ 1,048,576B each |
+
+
+ | GET /api/v1/configmaps?limit=500 |
+ 18x |
+ 149,155B |
+
+
+ | GET /api/v1/pods?limit=500 |
+ 15x |
+ 139,122B |
+
+
+ | GET /apis/rbac.../clusterrolebindings |
+ 13x |
+ 101,171B |
+
+
+
Total transferred: ~2.2GB
+
+
+
+
Finding 4: Data Exfiltration to AWS S3 CRITICAL
+
+ Workload: backup-agent-d74c775bb-nbc2p (10.0.42.2) •
+ MITRE: T1537, T1567.002
+
+
+ Evidence:
+ • 137 external TCP connections to 63+ unique AWS IPs on port 443
+ • DNS: s3.amazonaws.com, ec2.us-east-1.amazonaws.com
+ • 108 HTTP requests returning 400/401 — expired/stolen credentials
+ • Top destination: 67.220.251.181 (1.2MB total)
+
+
+
+
Finding 5: Internal Port Scanning HIGH
+
+ Workload: network-diagnostics-67bf4c7878-tmjks (10.0.17.30) •
+ MITRE: T1046
+
+
+ Evidence:
+ • 100 TCP flows to 20 unique IPs across 9 ports (80, 443, 3306, 5432, 6379, 8080, 8443, 9090, 27017)
+ • Target range: 10.244.0.x (cross-namespace pod CIDR)
+ • All flows: 0 bytes — TCP SYN scan
+
+
+
+
Finding 6: Redis Reconnaissance HIGH
+
+ Workload: session-manager-677b78dc48-nlb42 (10.0.53.219) •
+ MITRE: T1018, T1082
+
+
+ Evidence: redis-cli against redis-cache (10.0.1.246:6379)
+ • INFO — server fingerprinting
+ • CONFIG GET * — full config dump (7KB)
+ • KEYS * — 111,650 bytes of keys
+ • CLIENT LIST — connection enumeration
+ • DBSIZE — capacity assessment
+
+
+
+
+
+
Attack Chain Analysis
+
STAGE 1: COMMAND & CONTROL
+ └&horz; update-checker → c2-callback.attacker-infra.example.com (4MB received)
+
+STAGE 2: RECONNAISSANCE
+ └&horz; network-diagnostics → Port scan: 20 IPs × 9 ports
+ └&horz; session-manager → Redis CONFIG/KEYS/CLIENT dump
+ └&horz; resource-syncer → K8s API: secrets, RBAC, pods, services, namespaces
+
+STAGE 3: CREDENTIAL ACCESS
+ └&horz; resource-syncer → Harvested 1MB+ of K8s Secrets (12 requests)
+
+STAGE 4: EXFILTRATION
+ └&horz; backup-agent → 137 connections to 63+ AWS S3 IPs (failing 401)
+
+STAGE 5: MONETIZATION
+ └&horz; batch-processor → Cryptomining via minexmr + stratum pool
+
+
+
+
+
Immediate Actions
+
+ - Isolate the namespace: Default-deny NetworkPolicy on k8s-mule (ingress + egress)
+ - Kill compromised pods: Delete all 6 pods
+ - Rotate all secrets cluster-wide: K8s Secrets harvested (1MB+ × 12 requests)
+ - Revoke AWS IAM credentials: IRSA/service account creds for k8s-mule pods
+ - Rotate Redis session tokens: All keys enumerated
+ - Block C2 domains at DNS: c2-callback.attacker-infra.example.com, pool.minexmr.example.com, stratum.pool-mining.example.com
+ - Audit RBAC: Revoke cluster-admin bindings for resource-syncer's service account
+ - Scan container images: All k8s-mule Deployment images for tampering
+
+
+
+
+
+
Evidence Preservation
+
+
+ | Snapshot |
+ 9b0d4b2b (228MB, fully dissected) |
+
+
+ | Dissection |
+ 6bf87b81 (100% complete) |
+
+
+ | PCAP: C2 |
+ update-checker-c2.pcap (447KB) |
+
+
+ | PCAP: API enum |
+ resource-syncer-api-enum.pcap |
+
+
+
+