Kubernetes and Cloud SQL Vulnerabilities Exposed in Sophisticated Cryptocurrency Heists

Vaibhav March 10, 2026
Kubernetes-and-Cloud-SQL-Vulnerabilities-Exposed-in-Sophisticated-Cryptocurrency-Heists-1
Post Views: 108

Cyberattack on Cryptocurrency Organization Exposes Cloud Infrastructure Vulnerabilities

A sophisticated cyberattack on a cryptocurrency organization has exposed the vulnerabilities of cloud infrastructure and the importance of robust security measures.

Attack Overview

The attack, attributed to a suspected North Korean threat group, began with a social engineering tactic that tricked a developer into installing a malicious file on their personal device.

Once the attackers gained access to the developer’s machine, they executed embedded malicious Python code that installed a binary disguised as the Kubernetes command-line tool.

This allowed them to establish a foothold in the system and connect to an attacker-controlled domain, enabling remote access and reconnaissance of the company’s cloud infrastructure.

Attack Chain

The attackers then pivoted to the organization’s Google Cloud environment, using authenticated sessions and available credentials to gather information about the company’s cloud services and internal projects.

They modified the multi-factor authentication policy of a bastion host, a secure server used to manage access to protected systems, to gain further access to the environment.

With this access, the attackers manipulated the organization’s DevOps infrastructure, altering Kubernetes deployment configurations to ensure persistence within the system.

They also targeted the continuous integration and continuous deployment platform, injecting commands that exposed service account tokens in system logs and gaining access to a high-privileged CI/CD service account.

Privilege Escalation and Data Exfiltration

The attackers used the stolen service account credentials to authenticate to a sensitive infrastructure pod operating in privileged mode, breaking out of container restrictions and deploying another backdoor to maintain persistent access.

They then extracted database credentials stored insecurely within environment variables inside a Kubernetes pod and used them to connect to the production database through the Cloud SQL Auth Proxy.

Once inside the database, the attackers executed SQL commands that altered user account settings, including password resets and updates to multi-factor authentication seed values associated with several high-value accounts.

With control over these accounts, the attackers withdrew digital assets worth several million dollars.

“The attack, attributed to the UNC4899 threat group, highlights the risks posed by peer-to-peer data transfer between personal and corporate devices, privileged container environments, and the insecure storage of secrets in cloud deployments.”

Conclusion

The attack chain, described as a “living-off-the-cloud” operation, blended social engineering with cloud-specific exploitation techniques, relying on legitimate tools and infrastructure features to maintain persistence and evade detection.

The incident serves as a reminder of the importance of vigilance and proactive security measures in protecting against sophisticated cyber threats.



About Author

Vaibhav

See author's posts

More Stories

www.news4hackers.com-job-openings-for-cybersecurity-professionals-195-positions-available-job-openings-for-cybersecurity-professionals-195-positions-available

Job Openings for Cybersecurity Professionals – 195 Positions Available

Vaibhav April 24, 2026
www.news4hackers.com-google-cloud-unveils-ai-powered-security-strategy-to-combat-evolving-cyber-threats-google-cloud-unveils-ai-powered-security-strategy-to-combat-evolving-cyber-threats

Google Cloud Unveils AI-Powered Security Strategy to Combat Evolving Cyber Threats

Vaibhav April 23, 2026
www.news4hackers.com-gdpr-enforcement-hinges-on-compliance-efforts-gdpr-enforcement-hinges-on-compliance-efforts

GDPR Enforcement Hinges on Compliance Efforts

Vaibhav April 23, 2026

Latest Cyber Security News

www.news4hackers.com-over-10-000-zimbra-servers-exposed-to-persistent-xss-threats-over-10-000-zimbra-servers-exposed-to-persistent-xss-threats

Over 10,000 Zimbra Servers Exposed to Persistent XSS Threats

Vaibhav April 24, 2026
www.news4hackers.com-hackers-exploit-bitwarden-cli-vulnerability-for-malicious-activity-hackers-exploit-bitwarden-cli-vulnerability-for-malicious-activity

Hackers Exploit Bitwarden CLI Vulnerability for Malicious Activity

Vaibhav April 24, 2026
www.news4hackers.com-stock-market-scam-exposed-massive-losses-from-whatsapp-investment-scheme-stock-market-scam-exposed-massive-losses-from-whatsapp-investment-scheme

Stock Market Scam Exposed: Massive Losses from WhatsApp Investment Scheme

Vaibhav April 24, 2026
www.news4hackers.com-retired-doctor-loses-1-55-crores-in-digital-payment-scam-in-lucknow-india-retired-doctor-loses-1-55-crores-in-digital-payment-scam-in-lucknow-india

Retired Doctor Loses ₹1.55 Crores in Digital Payment Scam in Lucknow, India

Vaibhav April 24, 2026
www.news4hackers.com-largest-global-cybersecurity-exercise-unites-41-countries-for-enhanced-resilience-largest-global-cybersecurity-exercise-unites-41-countries-for-enhanced-resilience

Largest Global Cybersecurity Exercise Unites 41 Countries for Enhanced Resilience

Vaibhav April 24, 2026
en_USEnglish
en_USEnglish