The rapid adoption of Kubernetes across enterprise environments has significantly transformed how organizations manage containerized applications. However, as its popularity grows, so does its appeal to cybercriminals. Increasingly, threat actors are exploiting Kubernetes misconfigurations to break out of containers and infiltrate the underlying cloud accounts.
According to recent telemetry data, Kubernetes-related attacks—especially those involving service account token theft—have surged by 282% over the past year. Notably, the IT sector accounts for more than 78% of this malicious activity. This sharp increase highlights how attackers are evolving their tactics to target cloud-native infrastructures more effectively.
Moreover, these attacks are highly strategic rather than random. Instead of merely escaping a single container, adversaries now focus on exploiting weak identity configurations and overly permissive access controls. As a result, they can move seamlessly from an initial entry point into critical cloud infrastructure.
In fact, researchers observed suspicious activity linked to service account token theft in nearly 22% of monitored cloud environments in 2025. Typically, attackers follow a structured process: they gain code execution within a container, extract mounted credentials, test API permissions, and then pivot toward high-value cloud resources.
Researchers from Unit 42 uncovered this growing threat through real-world investigations. Their findings demonstrate how attackers combine Kubernetes misconfigurations with cloud credential abuse to inflict severe financial and operational damage. In some cases, a single compromised container provided a direct pathway to core financial systems.
One of the most concerning examples involves Slow Pisces, also known as Lazarus Group. In mid-2025, this group targeted a cryptocurrency exchange by first gaining access to a developer’s workstation via spearphishing. Leveraging the developer’s active and privileged cloud session, they deployed a malicious pod into a production Kubernetes cluster.
This malicious pod exposed a mounted service account token—a JSON Web Token (JWT) used for API authentication. Because the token belonged to a highly privileged account with broad role-based access control (RBAC) permissions, the attackers gained extensive control. They authenticated with the Kubernetes API, accessed secrets, interacted across namespaces, and even implanted a backdoor to maintain persistence.
Furthermore, the attack extended beyond the cluster. Using the stolen token, the attackers moved laterally into the cloud platform, accessed backend systems, retrieved sensitive credentials, and ultimately breached financial systems—resulting in millions lost in cryptocurrency.
Similarly, another major incident exploited CVE-2025-55182, also known as React2Shell. Within just two days of its public disclosure, attackers began actively exploiting the flaw. By abusing insecure deserialization, they achieved code execution inside containers, harvested tokens, and pivoted into cloud accounts to deploy backdoors and cryptominers.
To mitigate such risks, organizations must enforce strict least-privilege policies using RBAC, eliminate wildcard permissions, and replace long-lived tokens with short-lived credentials. Additionally, implementing runtime monitoring and enabling Kubernetes audit logs can help detect and stop malicious activity before it escalates.
Recommended Cyber Technology News:
- Infosys and Harness Partner to Accelerate AI-Driven Software Delivery Transformation
- Kaseya Opens Silicon Valley Hub To Accelerate AI Innovation
- Nasuni Launches Advanced Offerings to Transform Enterprise Data Management
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
