Securelist Report Maps Top Attack Vectors Targeting Docker and Kubernetes Environments
A new Securelist report breaks down the primary attack vectors targeting Docker and Kubernetes environments, highlighting real-world exploitation by APT groups like TeamPCP and detailing supply-chain compromises, container escape attempts, and orchestration API abuse.
Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity, so does the interest of malicious actors — a trend actively tracked in research into advanced cyberthreats. In one recent attack, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains, including poisoning a Docker Hub repository to later steal Kubernetes secrets and other sensitive data. The tainted images distributed a stealer that was loaded during the KICS scanning process.
Today, attacks on container environments have evolved into full-fledged, multi-stage scenarios involving supply chain compromises, Kubernetes secrets theft, orchestration API abuse, and container escape attempts. The Securelist report examines the primary container attack vectors that retain top relevance today. A container is an isolated code execution environment, designed to partition resources so applications can run correctly and independently. Unlike a virtual machine, a container uses the single underlying kernel of the host operating system, relying on Linux kernel features such as namespaces, cgroups, capabilities, and seccomp for isolation. Compromising a container can help attackers achieve their objectives on the host system itself.
The primary and most critical attack vectors targeting container environments that are actively exploited by malicious actors include: exploiting vulnerabilities in the host system and container runtime components, malicious activity inside a compromised container, container escape followed by host compromise, exploiting misconfigurations and the insecure use of containerization and orchestration APIs, and supply chain attacks including container image poisoning and CI/CD pipeline compromise. Each of these vectors can be utilized either independently or as part of a complex, multi-stage attack chain. In practice, attackers rarely stop at compromising a single container; their primary objective is often to gain access to the Kubernetes cluster, secrets management systems, or other mission-critical environment components.
Because a container does not have its own isolated OS, vulnerabilities affecting the Linux kernel or runtime components remain just as critical when exploited from within a container. Any vulnerability that allows for privilege escalation, arbitrary code execution, or isolation bypassing can potentially be leveraged by an attacker once the container is compromised. Successful exploitation of these flaws can lead to a container escape, compromise of the Kubernetes node or the entire cluster, lateral movement across the infrastructure, secrets theft, and malicious actions potentially culminating in a complete service disruption. The report highlights several illustrative vulnerabilities: CVE-2019-5736, a prominent runC flaw that allowed an attacker with root access inside a container to execute arbitrary code on the host system; CVE-2022-0492, a Linux kernel vulnerability enabling container escape via the cgroups release_agent mechanism; and CVE-2024-21626, a critical runC vulnerability that allowed access to the host file system from within a container.
Sometimes, an attacker does not need to exploit complex attack chains involving container escapes, Kubernetes cluster compromise, or lateral movement to achieve their goals. In many cases, the container itself already houses data and resources that are highly valuable to the attacker, such as user and service credentials, API keys, access tokens, SSH keys, environment variables containing secrets, Kubernetes ServiceAccount tokens, and configuration files. This makes securing container infrastructure a comprehensive challenge that spans configuration auditing, runtime protection, activity monitoring, and software supply chain security.
The report underscores that attackers pursue multi-stage campaigns to compromise clusters and steal data, and that securing container environments requires a holistic approach. As containerization continues to dominate enterprise infrastructure, understanding and mitigating these attack vectors is critical for defenders. The findings serve as a reminder that container security must be integrated into every phase of the development and deployment lifecycle, from image scanning and runtime monitoring to cluster configuration and secrets management.