-
-
-
Kubernetes Network Security Audit Report
-
-
-
- Cluster: AWS EKS (us-east-1) •
- Namespace: k8s-mule •
- Date: 2026-05-18 12:00 BST
- Audit window: 10:55 — 12:46 BST (09:55 — 11:46 UTC, ~1h 51m)
- Snapshot: 9b0d4b2b (228MB, full window)
-
-
-
-
-
-
Executive Summary
-
The k8s-mule namespace is actively compromised with a coordinated, multi-stage attack involving 6 of 21 workloads. The attack chain spans the full MITRE ATT&CK kill chain: C2 communication, cryptomining, systematic K8s API secret enumeration (1MB+ of secrets exfiltrated), data exfiltration to 63+ AWS S3 endpoints, internal port scanning across 20 IPs and 9 service ports, and Redis server reconnaissance.
-
-
-
Threat Summary
-
-
-
- | # |
- Severity |
- Workload |
- Threat |
- MITRE ATT&CK |
-
-
-
-
- | 1 |
- CRITICAL |
- update-checker |
- C2 Command & Control |
- T1071.001, T1071.004 |
-
-
- | 2 |
- CRITICAL |
- batch-processor |
- Cryptomining |
- T1496 |
-
-
- | 3 |
- CRITICAL |
- resource-syncer |
- K8s API Secret Theft |
- T1552.007, T1087.004 |
-
-
- | 4 |
- CRITICAL |
- backup-agent |
- Data Exfiltration to AWS S3 |
- T1537, T1567.002 |
-
-
- | 5 |
- HIGH |
- network-diagnostics |
- Internal Port Scanning |
- T1046 |
-
-
- | 6 |
- HIGH |
- session-manager |
- Redis Reconnaissance |
- T1018, T1082 |
-
-
-
-
-
-
-
-
Finding 1: C2 Command & Control CRITICAL
-
- Workload: update-checker-595b7848c9-z7pxz (10.0.4.153) •
- MITRE: T1071.001, T1071.004
-
-
- Evidence:
- • DNS beaconing: 8 queries to c2-callback.attacker-infra.example.com
- • C2 data channel: TCP to 146.75.34.132:443 — 2,707 bytes sent, 4,209,120 bytes received (4.0MB)
- • 25,674 UDP queries to kube-dns — consistent with C2 polling
- • PCAP: update-checker-c2.pcap (447KB)
-
-
-
-
Finding 2: Cryptomining CRITICAL
-
- Workload: batch-processor-588784bd54-bf7ws (10.0.56.215) •
- MITRE: T1496
-
-
- Evidence:
- • Mining pool DNS: 4 queries to pool.minexmr.example.com
- • Stratum protocol: 4 queries to stratum.pool-mining.example.com
- • Two distinct pools suggest failover configuration
-
-
-
-
Finding 3: K8s API Secret Theft CRITICAL
-
- Workload: resource-syncer-6b9866fb54-mdjpt (10.0.31.132) •
- MITRE: T1552.007, T1087.004
-
-
-
Evidence: 93 HTTP GET requests to K8s API (172.20.0.1:443)
-
-
- | GET /api/v1/secrets?limit=500 |
- 12x |
- 1,048,576B each |
-
-
- | GET /api/v1/configmaps?limit=500 |
- 18x |
- 149,155B |
-
-
- | GET /api/v1/pods?limit=500 |
- 15x |
- 139,122B |
-
-
- | GET /apis/rbac.../clusterrolebindings |
- 13x |
- 101,171B |
-
-
-
Total transferred: ~2.2GB
-
-
-
-
Finding 4: Data Exfiltration to AWS S3 CRITICAL
-
- Workload: backup-agent-d74c775bb-nbc2p (10.0.42.2) •
- MITRE: T1537, T1567.002
-
-
- Evidence:
- • 137 external TCP connections to 63+ unique AWS IPs on port 443
- • DNS: s3.amazonaws.com, ec2.us-east-1.amazonaws.com
- • 108 HTTP requests returning 400/401 — expired/stolen credentials
- • Top destination: 67.220.251.181 (1.2MB total)
-
-
-
-
Finding 5: Internal Port Scanning HIGH
-
- Workload: network-diagnostics-67bf4c7878-tmjks (10.0.17.30) •
- MITRE: T1046
-
-
- Evidence:
- • 100 TCP flows to 20 unique IPs across 9 ports (80, 443, 3306, 5432, 6379, 8080, 8443, 9090, 27017)
- • Target range: 10.244.0.x (cross-namespace pod CIDR)
- • All flows: 0 bytes — TCP SYN scan
-
-
-
-
Finding 6: Redis Reconnaissance HIGH
-
- Workload: session-manager-677b78dc48-nlb42 (10.0.53.219) •
- MITRE: T1018, T1082
-
-
- Evidence: redis-cli against redis-cache (10.0.1.246:6379)
- • INFO — server fingerprinting
- • CONFIG GET * — full config dump (7KB)
- • KEYS * — 111,650 bytes of keys
- • CLIENT LIST — connection enumeration
- • DBSIZE — capacity assessment
-
-
-
-
-
-
Attack Chain Analysis
-
STAGE 1: COMMAND & CONTROL
- └&horz; update-checker → c2-callback.attacker-infra.example.com (4MB received)
-
-STAGE 2: RECONNAISSANCE
- └&horz; network-diagnostics → Port scan: 20 IPs × 9 ports
- └&horz; session-manager → Redis CONFIG/KEYS/CLIENT dump
- └&horz; resource-syncer → K8s API: secrets, RBAC, pods, services, namespaces
-
-STAGE 3: CREDENTIAL ACCESS
- └&horz; resource-syncer → Harvested 1MB+ of K8s Secrets (12 requests)
-
-STAGE 4: EXFILTRATION
- └&horz; backup-agent → 137 connections to 63+ AWS S3 IPs (failing 401)
-
-STAGE 5: MONETIZATION
- └&horz; batch-processor → Cryptomining via minexmr + stratum pool
-
-
-
-
-
Immediate Actions
-
- - Isolate the namespace: Default-deny NetworkPolicy on k8s-mule (ingress + egress)
- - Kill compromised pods: Delete all 6 pods
- - Rotate all secrets cluster-wide: K8s Secrets harvested (1MB+ × 12 requests)
- - Revoke AWS IAM credentials: IRSA/service account creds for k8s-mule pods
- - Rotate Redis session tokens: All keys enumerated
- - Block C2 domains at DNS: c2-callback.attacker-infra.example.com, pool.minexmr.example.com, stratum.pool-mining.example.com
- - Audit RBAC: Revoke cluster-admin bindings for resource-syncer's service account
- - Scan container images: All k8s-mule Deployment images for tampering
-
-
-
-
-
-
Evidence Preservation
-
-
- | Snapshot |
- 9b0d4b2b (228MB, fully dissected) |
-
-
- | Dissection |
- 6bf87b81 (100% complete) |
-
-
- | PCAP: C2 |
- update-checker-c2.pcap (447KB) |
-
-
- | PCAP: API enum |
- resource-syncer-api-enum.pcap |
-
-
-
-