Press "Enter" to skip to content

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

Kubernetes (K8s) Role-Based Access Control (RBAC) has been exploited by an extensive attack effort in the wild to install cryptocurrency miners and generate backdoors.

“The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.

ALSO, READ MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

- CyberInformer_Sticky RightBanner 300x600 high cpm *

The attacker gained early access via a vulnerable API server, then examined the compromised server for signs of rival miner software, and finally used RBAC to establish persistence.

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

“The attacker created a new ClusterRole with near admin-level privileges,” the company said. “Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Lastly, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”

ALSO, READ Clipboard-injecting Malware Disguises Itself As Tor Browser And Steals Cryptocurrency

The attacker gained early access via a vulnerable API server, then examined the compromised server for signs of rival miner software, and finally used RBAC to establish persistence.

Kubernetes RBAC

The final step of the attack entailed the threat actor creating a DaemonSet to deploy a container image hosted on Docker (“kuberntesio/kube-controller:1.0.1”) on all nodes. The container, which has been pulled 14,399 times since its upload five months ago, harbors a cryptocurrency miner.

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

“The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account,” Aqua said. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”

ALSO, READ These Android Apps With A Million Play Store Installations Redirect Users To Malicious Sites

Interestingly, some of the tactics described in the campaign bear similarities to another illicit cryptocurrency mining operation that also took advantage of DaemonSets to mint Dero and Monero. It’s currently not clear whether the two sets of attacks are related.

CYBERINFORMER.NET –  brings updates on the latest cyber security tips, online safety tips and cyber information, cyber security courses for Nigerians and Foreigners, Cyber security jobs for seekers and much more…

Be First to Comment

Leave a Reply

Mission News Theme by Compete Themes.
%d bloggers like this: