Hackers Exploit Kubernetes Misconfigurations to Move From Containers to Cloud Accounts

Home Cyber Security News Hackers Exploit Kubernetes Misconfigurations to Move From Containers to Cloud Accounts Kubernetes has become one of the most widely used platforms for managing containerized applications in enterprise environments. But as its adoption has grown, so has the attention it draws from malicious actors. Threat actors are now exploiting misconfigurations within Kubernetes clusters to break out of containers and move directly into the cloud accounts that host them. Recent telemetry data shows that Kubernetes-related threat operations — including service account token theft — increased by 282% over the last year, with the information technology sector accounting for over 78% of all observed activity. The attacks are calculated, not random. Adversaries are no longer simply trying to escape a single container. They are abusing weak identity configurations and overly permissive access controls to move from an initial foothold all the way into the core cloud infrastructure. In roughly 22% of cloud environments monitored in 2025, suspicious activity tied to service account token theft was detected. These incidents follow a clear pattern: gain code execution inside a container, extract mounted credentials, test API permissions, and pivot toward higher-value cloud resources. Unit 42 researchers identified this growing threat through real-world intrusion cases, revealing how threat groups are chaining Kubernetes misconfigurations with cloud credential abuse to cause serious financial and operational harm. Their findings trace a direct line from a single compromised container all the way to the core financial systems of targeted organizations. Among the most alarming real-world examples is an intrusion tied to Slow Pisces, a North Korean state-sponsored group also tracked as Lazarus and TraderTraitor. In mid-2025, this group targeted a cryptocurrency exchange after gaining persistence on a developer’s workstation through spearphishing. Using the developer’s active, privileged cloud session, the attackers deployed a malicious pod directly into the production Kubernetes cluster. That pod was built to expose the mounted service account token — a JSON Web Token (JWT) that Kubernetes automatically assigns to pods for authenticating with the API server. Cryptocurrency Incident Flow with Kubernetes Compromise (Source – Unit42) The stolen token belonged to a high-privileged management service account with broad RBAC permissions. Using this stolen identity, the threat actor authenticated to the Kubernetes API server, listed secrets, interacted with workloads across namespaces, and dropped a backdoor into a production pod to maintain persistent access. A single misconfigured token, when stolen, can hand an attacker sweeping control over an entire cluster. From Cluster to Cloud: Token Theft in Action The attack did not stop at the cluster boundary. Using the privileges tied to the stolen token, the threat actor moved laterally from Kubernetes into the broader cloud platform. They accessed backend systems, retrieved sensitive credentials, and reached the financial infrastructure of the exchange — resulting in millions stolen in cryptocurrency. This mirrors the post-exploitation workflow modeled by Peirates, an open-source penetration testing framework demonstrating how stolen tokens enumerate secrets, pivot across namespaces, and query cloud metadata services. Sample Peirates Menu Showing Available Post-Exploitation Techniques (Source – Unit42) A second major incident involved CVE-2025-55182, a critical flaw in React Server Components known as React2Shell. Publicly disclosed on December 3, 2025, active exploitation targeting cloud services started within just two days. Attackers abused insecure deserialization in the React Server Components flight protocol to achieve code execution inside application containers. From there, they harvested service account tokens, queried the Kubernetes API, and collected cloud credentials from environment variables — pivoting into the cloud account to install backdoors and deploy cryptominers. To reduce exposure, security teams should enforce least privilege through strict RBAC policies, avoiding wildcard permissions across service account roles. Long-lived static tokens should be replaced with short-lived, projected service account tokens that expire automatically, cutting the value of any stolen credential. Runtime monitoring tools that flag unusual process execution, unexpected outbound connections, and unauthorized access to sensitive system paths inside containers are also essential, as they can stop malicious activity before it escalates to the cloud layer. Kubernetes audit logs must always be enabled and reviewed — they capture the earliest signs of API misuse, token access, and lateral movement across namespaces. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Use Fake Gemini npm Package to Steal Tokens From Claude, Cursor, and Other AI Tools Cyber Security News Hackers Exploit Next.js React2Shell Flaw to Steal Credentials From 766 Hosts in 24 Hours Cyber Security News Hackers Use ClickFix Lure to Drop Node.js-Based Windows RAT With Tor-Powered C2 Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026