Kubernetes API calls by a likely malicious caller
Description
AlphaSOC has detected access to the Kubernetes API from external IP ranges or known malicious sources. This API is used for managing cluster operations and resources. Adversaries may use compromised credentials or misconfigured permissions to interact with cluster resources through it.
Impact
Threat actors with access to the Kubernetes API can create or modify resources, access sensitive data, deploy malicious containers, and exploit other resources in the cluster. This enables lateral movement and persistent access to the Kubernetes infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Kubernetes API calls from a known malicious source |
Low | Unexpected Kubernetes API calls |
High | Kubernetes API calls with unexpected action patterns or source IP ranges |
Investigation and Remediation
Review Kubernetes audit logs to identify the source IP address, user agent, and specific API calls made. Compare the activity against existing patterns. If unauthorized access is confirmed, rotate compromised credentials, review and update RBAC policies, and audit all changes made during the incident.