Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

Kubernetes (K8s) Role-Based Access Control (RBAC) has been exploited by an extensive attack effort in the wild to install cryptocurrency miners and generate backdoors.

“The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.

ALSO, READ MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

The attacker gained early access via a vulnerable API server, then examined the compromised server for signs of rival miner software, and finally used RBAC to establish persistence.

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

“The attacker created a new ClusterRole with near admin-level privileges,” the company said. “Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Lastly, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”

ALSO, READ Clipboard-injecting Malware Disguises Itself As Tor Browser And Steals Cryptocurrency

The attacker gained early access via a vulnerable API server, then examined the compromised server for signs of rival miner software, and finally used RBAC to establish persistence.

The final step of the attack entailed the threat actor creating a DaemonSet to deploy a container image hosted on Docker (“kuberntesio/kube-controller:1.0.1”) on all nodes. The container, which has been pulled 14,399 times since its upload five months ago, harbors a cryptocurrency miner.

Kubernetes RBAC Exploited In Large-Scale Campaign For Cryptocurrency Mining

“The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account,” Aqua said. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”

ALSO, READ These Android Apps With A Million Play Store Installations Redirect Users To Malicious Sites

Interestingly, some of the tactics described in the campaign bear similarities to another illicit cryptocurrency mining operation that also took advantage of DaemonSets to mint Dero and Monero. It’s currently not clear whether the two sets of attacks are related.