Safeguarding EKS Clusters
Against Ransomware

Dr. Srinidhi Varadarajan, Chief Scientist

Amazon Elastic Kubernetes Service (EKS) clusters, essential for containerized application management, are vulnerable to security risks, particularly when using Amazon Elastic Block Store (EBS) volumes and/or Simple Storage Service (S3) buckets for state storage. This vulnerability extends to ransomware and malware attacks, underscoring the critical need for a robust security infrastructure.

The mechanics of ransomware attacks on EKS clusters

Ransomware attacks on Amazon Elastic Kubernetes Service (EKS) clusters often employ sophisticated methods, with a notable strategy being the use of LD_PRELOAD to intercept the POSIX call chain. This method is a favored tool among Ransomware-as-a-Service (RaaS) operators like LockBit. 

The initial entry point for these attackers is often the compromise of Identity and Access Management (IAM) credentials, which can stem from poorly secured credentials or internal threats, such as disgruntled employees leaking sensitive information. The LockBit gang, known for its aggressive tactics, offers substantial rewards for high-value credentials. 

Interestingly, the use of zero-day vulnerabilities as primary entry points has diminished, thanks to modern infrastructure’s capacity for automated updates, although defining IAM roles clearly and without overlap is still key to reducing potential harm. But even this measure is not a guaranteed safeguard, as attackers frequently exploit users who hold multiple IAM roles to move across various system boundaries.

Why EDR/XDR is not enough to protect against these attacks

Deploying perimeter Extended Detection and Response (XDR) agents on EKS clusters can enhance security. Yet, these agents represent merely the first layer of defense in a comprehensive security strategy. The reality is that even with leading XDR solutions, breaches occur. 

Notable incidents, such as the attack on the City of Dallas, demonstrate that attackers can maintain a presence in a network for extended periods despite these defenses being in place. Once infiltrators gain access, they can hold data on EBS volumes or delete S3 objects and offer them back for ransom, just as they might with a Virtual Machine. Kubernetes, in and of itself, does not offer extra protection against such threats.

The level of attack sophistication often correlates with the perceived value of the target. High-value entities, such as financial institutions, are likely to encounter more advanced and tailored attack methods. Initially, these entities might be targeted by automated RaaS operators. When one of these tools discovers a vulnerability, the information is often sold to expert hacker groups who have the skills to exploit it effectively. Fundamentally, these attacks boil down to a numbers game, involving a constant bombardment of attempts until one inevitably finds its way through.

The role of data resilience in mitigating ransomware attacks on EKS clusters

In response to these challenges, data resilience solutions like Elastio – which operate at the data level –  emerge as crucial components of a security infrastructure. Elastio offers a layer of defense beyond traditional measures by continuously monitoring the state of EBS and S3 for ransomware and malware, all without relying on agent-based solutions that can be compromised or bypassed. This approach addresses the gaps left by EDR/XDR solutions and provides an added layer of security.

By prioritizing continuous monitoring and the resilience of the data itself, organizations can better protect their EKS clusters from evolving ransomware threats, ensuring operational continuity and safeguarding their data.