• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Digital ID
  • Hacking
  • Microsoft discovers cryptomining campaign targeting Kubeflow tool for Kubernetes clusters

Microsoft discovers cryptomining campaign targeting Kubeflow tool for Kubernetes clusters

Pierluigi Paganini June 11, 2020

Microsoft’s Azure Security Center (ASC) is warning of a hacking campaign that targets Kubeflow, a machine learning toolkit for Kubernetes.

Hackers are targeting Kubeflow servers with administration panel exposed online, Microsoft warns.

The tech giant has released a report today detailing a novel series of attacks against Kubeflow, a toolkit for deploying machine learning (ML) workflows on Kubernetes clusters.

The attacks have begun in April, threat actors aim at delivering a cryptocurrency miner on Kubernetes clusters running Kubeflow instances that were exposed to the internet.

“we’ll reveal a new campaign that was observed recently by ASC that targets Kubeflow, a machine learning toolkit for Kubernetes. We observed that this attack effected on tens of Kubernetes clusters.” reads the report published by Microsoft.

“Kubeflow is an open-source project, started as a project for running TensorFlow jobs on Kubernetes.”

Hackers are targeting Kubernetes clusters because nodes used from ML operations have huge computational capabilies making them ideal for fraudulent mining purposes.

But while the number of hijacked clusters is small in comparison to previous Kubernetes attacks, the profits for crooks and the financial losses to server owners are most likely much higher than other attacks seen before.

“Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.” continues the report.

In April, experts from Microsoft’s Azure Security Center observed the deployment of a suspect image, ddsfdfsaadfs/dfsdf:99, from a public repository on many different clusters. The analysis of the image revealed the presence of an XMRIG miner.

Kubeflow framework consists of many different services, which could include frameworks for training models, Katib and Jupyter notebook server, and more.

“Kubeflow is a containerized service: the various tasks run as containers in the cluster. Therefore, if attackers somehow get access to Kubeflow, they have multiple ways to run their malicious image in the cluster.” reads the report.

By default, the Kubeflow management panel is not exposed on the Internet and is only accessible from inside the Kubernetes cluster, but clusters targeted by the hackers were set up to expose the admin panel online.

Threat actors behind this campaign initially scan the Internet for exposed admin panel, then abused them to deploy new server images to Kubeflow clusters that were running XMRig.

“The attacker used an exposed dashboard (Kubeflow dashboard in this case) for gaining initial access to the cluster. The execution and persistence in the cluster were performed by a container that was deployed in the cluster.” continues the expert. “The attacker managed to move laterally and deploy the container using the mounted service account. Finally, the attacker impacted the cluster by running a cryptocurrency miner.”

To check if a cluster has been affected Microsoft recommends to the following procedure:

  • Verify that the malicious container is not deployed in the cluster using the following command:

kubectl get pods –all-namespaces -o jsonpath=”{.items[*].spec.containers[*].image}”  | grep -i ddsfdfsaadfs

  • In case Kubeflow is deployed in the cluster, make sure that its dashboard isn’t exposed to the internet: check the type of the Istio ingress service by the following command and make sure that it is not a load balancer with a public IP:

kubectl get service istio-ingressgateway -n istio-system

“However, this is the first time that we have identified an attack that targets Kubeflow environments specifically.” concludes Microsoft.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Kubeflow, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking Kubernetes Pierluigi Paganini Security News

you might also like

Pierluigi Paganini July 08, 2025
IT Worker arrested for selling access in $100M PIX cyber heist
Read more
Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT