Kubernetes RBAC Exploited in Giant-Scale Marketing campaign for Cryptocurrency Mining

Apr 21, 2023Ravie LakshmananKubernetes / Cryptocurrency

Kubernetes RBAC

A big-scale assault marketing campaign found within the wild has been exploiting Kubernetes (K8s) Function-Primarily based Entry Management (RBAC) to create backdoors and run cryptocurrency miners.

“The attackers additionally deployed DaemonSets to take over and hijack sources of the K8s clusters they assault,” cloud safety agency Aqua stated in a report shared with The Hacker Information. The Israeli firm, which dubbed the assault RBAC Buster, stated it discovered 60 uncovered K8s clusters which have been exploited by the menace actor behind this marketing campaign.

The assault chain commenced with the attacker gaining preliminary entry by way of a misconfigured API server, adopted by checking for proof of competing miner malware on the compromised server after which utilizing RBAC to arrange persistence.

“The attacker created a brand new ClusterRole with close to admin-level privileges,” the corporate stated. “Subsequent, the attacker created a ‘ServiceAccount’, ‘kube-controller’ within the ‘kube-system’ namespace. Lastly, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a powerful and inconspicuous persistence.”

Within the intrusion noticed towards its K8s honeypots, the attacker tried to weaponize the uncovered AWS entry keys to acquire an entrenched foothold into the setting, steal knowledge, and escape the confines of the cluster.

Kubernetes RBAC

The ultimate step of the assault entailed the menace actor making a DaemonSet to deploy a container picture hosted on Docker (“kuberntesio/kube-controller:1.0.1”) on all nodes. The container, which has been pulled 14,399 occasions since its add 5 months in the past, harbors a cryptocurrency miner.


Zero Belief + Deception: Study Methods to Outsmart Attackers!

Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!

Save My Seat!

“The container picture named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the respectable ‘kubernetesio’ account,” Aqua stated. “The picture additionally mimics the favored ‘kube-controller-manager’ container picture, which is a important part of the management aircraft, operating inside a Pod on each grasp node, liable for detecting and responding to node failures.”

Apparently, a few of the ways described within the marketing campaign bear similarities to a different illicit cryptocurrency mining operation that additionally took benefit of DaemonSets to mint Dero and Monero. It is at the moment not clear whether or not the 2 units of assaults are associated.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.