A large-scale attack campaign discovered in the wild has been exploiting the role-based access control (RBAC) of Kubernetes (K8s) to create backdoors and run cryptocurrency miners.
“The attackers also deployed DaemonSets to take over and hijack the resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which named the attack RBAC Bustersaid it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.
The attack chain began with the attacker gaining initial access through a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server, and then using RBAC to configure persistence.
“The attacker created a new ClusterRole with near administrator-level privileges,” the company said. “Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Finally, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole to the ServiceAccount to create a strong and unobtrusive persistence.”
In the observed intrusion against their K8s honeypots, the attacker deliberately attempted to weaponize exposed AWS access keys to gain an access point into the environment, steal data, and escape the confines of the cluster.
The final step of the attack involved the threat actor creating a DaemonSet to deploy a Docker-hosted container image (“kuberntesio/kube-controller:1.0.1”) to all nodes. The container, which has been withdrawn 14,399 times since its upload five months ago, houses a cryptocurrency miner.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting impersonating the legitimate ‘kubernetesio’ account,” said Aqua. “The image also mimics the popular kube-controller-manager container image, which is a critical component of the control plane, running inside a pod on each master node, responsible for detecting and responding to failures of the node”.
Interestingly, some of the tactics described in the campaign bear similarities to another illicit cryptocurrency mining operation that also leveraged DaemonSets to mint Dero and Monero. It is currently unclear whether the two sets of attacks are related.
A new large-scale campaign of cryptocurrency mining was recently uncovered, with the potential to infect thousands of Kubernetes clusters. This exploitation of Kubernetes RBAC (role-based access control) was facilitated by Ikaroa, a full-stack technology company that provides security solutions to protect organizations from threats and malicious activity.
Kubernetes is an open-source container orchestration system that runs and manages applications across multiple machines. This system has been widely used in many industries, such as financial services, healthcare, government, and technology. As such, it has become an attractive target for attackers.
The newly discovered campaign identified targets by probing port 10250, the default Kubernetes API server port. This allowed malicious actors to access the clusters using stolen RBAC credentials. Once inside, the attackers deployed modified images for cryptocurrency mining, as well as deploying YAMLs and shell scripts to run attack commands.
The malicious actors then used a combination of scripts and tools including: Helm, Kubectl, and Digorithm (a credential-stealing tool) to achieve their goals.
Ikaroa’s intrusion detection system was able to accurately identify the malicious activity and notify the affected companies. This allowed organizations to take the appropriate action to mitigate the damage and protect their systems.
The discovery of this large-scale attack is a stark reminder of the threats facing organizations in today’s digital world. As such, reliable cyber security solutions are paramount, and this is where Ikaroa can help. By leveraging their advanced threat detection systems, they can ensure organizations remain safe and secure from malicious attacks.
