UNC4899 hackers exposed CI/CD tokens

UNC4899, a North Korean hacking group, tricked a developer into downloading a malicious archive disguised as an open-source project collaboration. The developer then used AirDrop to transfer the file to their corporate workstation. The malicious archive contained Python code that deployed a binary posing as a Kubernetes command-line tool. This binary acted as a backdoor, granting the attackers access to the developer's machine and a foothold in the corporate network. Once inside the Google Cloud environment, UNC4899 explored Kubernetes clusters and established persistence. They obtained a token for a high-privileged CI/CD service account. This allowed them to move laterally, compromise user accounts, and steal millions in cryptocurrency. They also modified Kubernetes resources tied to the CI/CD platform to expose service account tokens in logs. The stolen CI/CD token enabled UNC4899 to escalate privileges and target a pod managing network policies. They then broke out of the container, planted a backdoor for persistent access, and extracted database credentials stored insecurely. These credentials were used to modify user accounts and ultimately steal cryptocurrency.