Kubernetes Exposed: Exploiting the Kubelet API

This report describes active attacks against misconfigured Kubernetes Kubelet APIs observed by a honeypot: attackers perform environment discovery and internal scanning, harvest ServiceAccount tokens and configuration files, and deploy a cryptominer (notably via an 'F' gang script and TeamTNT campaigns). The authors measured exposed Kubelet instances via Shodan, found real exploitation cases (including token exfiltration and pod-level command execution), provide an MD5 for the cryptominer, and recommend access restriction, authentication/authorization, monitoring, patching, least-privilege, and automated posture management.