Cryptojacking Exploits Misconfigured Kubernetes Clusters
Cybersecurity researchers have identified an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency.
Cloud security firm Wiz has uncovered this activity, describing it as an updated variant of a financially motivated operation first reported by CrowdStrike in March 2023.
“In this incident, the threat actor exploited anonymous access to an Internet-facing cluster to deploy malicious container images hosted on Docker Hub, some of which have over 10,000 pulls,” explained Wiz researchers Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski. “These Docker images include a UPX-packed DERO miner named ‘pause.’”
Initial access is gained by targeting externally accessible Kubernetes API servers with anonymous authentication enabled to deliver the miner payloads.
Unlike the 2023 version, which used a Kubernetes DaemonSet named “proxy-api,” the latest version employs seemingly benign DaemonSets called “k8s-device-plugin” and “pytorch-container” to run the miner on all cluster nodes.
The threat actor abused anonymous access (https://t.co/ZjYamyWrLd) to an Internet-facing cluster to create workloads based on malicious container images hosted at Docker Hub. Image name is likely intended to mimic the legitimate “pause” container commonly found in K8s clusters -> pic.twitter.com/M0RBkEP3TT
— Avigayil Mechtinger (@AbbyMCH) June 8, 2024
The name “pause” is used to disguise the container as the legitimate “pause” container employed to bootstrap a pod and enforce network isolation.
The cryptocurrency miner is an open-source binary written in Go, modified to hard-code the wallet address and custom Dero mining pool URLs. It is also obfuscated with the open-source UPX packer to resist analysis.
Embedding the mining configuration within the code allows the miner to operate without command-line arguments, which are typically monitored by security mechanisms.
Wiz also discovered additional tools developed by the threat actor, including a Windows sample of a UPX-packed Dero miner and a dropper shell script designed to terminate competing miner processes on an infected host and deploy GMiner from GitHub.
“The attacker registered domains with innocent-looking names to avoid suspicion and blend in with legitimate web traffic while masking communication with well-known mining pools,” the researchers noted.
“These combined tactics highlight the attacker’s continuous efforts to adapt their methods and stay ahead of defenders.”
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
Thankyou for Subscribing Us!
Do you like what you read?
Thank you for your feedback!
No Comments