Pierluigi Paganini
March 15, 2023
CrowdStrike has discovered the first-ever Dero cryptojacking campaign aimed at Kubernetes infrastructure. Dero is a general-purpose, private, and decentralized application platform that allows developers to deploy powerful and unstoppable applications. It claims to offer improved privacy, anonymity and higher monetary rewards compared to other cryptocurrencies.
The cryptojacking operation uncovered by CrowdStrike focuses on Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports exposed on the internet.
The campaign started in February 2023 and originated from three servers based in the U.S.
“CrowdStrike has discovered the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure.” reads the analysis published by Crowdstrike. “The novel Dero cryptojacking operation is found to be targeted by an existing Monero cryptojacking operation that was modified subsequently in February 2023. The modified Monero campaign kicks out the DaemonSets used for Dero cryptojacking in the Kubernetes cluster before taking it over.”
Experts believe that the crypto-jacking operation is aimed at Dero, instead of Monero, because the former scheme offers larger rewards and provides the same or better anonymizing features, which is a perfect match for threat actors.
The attack chain commences with the attacker finding an Internet-facing vulnerable Kubernetes cluster. Once interacted with the Kubernetes API, the attacker deploys a Kubernetes DaemonSet (“proxy-api”) that deploys a malicious pod on each node of the Kubernetes cluster.
“This helps attackers engage resources of all of the nodes at the same time to run a cryptojacking operation. The mining efforts by the pods are contributed back to a community pool, which distributes the reward (i.e., Dero coin) equally among its contributors through their digital wallet.” continues the report.
The researchers noticed that once the vulnerable Kubernetes cluster was compromised, threat actors made no attempts to perform a lateral movement or scan the internet for the discovery of other clusters to targets.
Crowdstrike also reported that attackers made no attempts to delete or disrupt the cluster operation, operators’ TTPs suggest that they are financially motivated.
The report also revealed that a rival group running aa Monero-mining campaign is targeting exposed Kubernetes clusters by attempting to delete the existing “proxy-api” DaemonSet which is associated with the Dero campaign.
“At the same time, CrowdStrike observed another Monero campaign, which is modified and is aware of the Dero campaign and targeting the same attack surface but using a more sophisticated approach. Both campaigns are trying to find undiscovered Kubernetes attack surfaces and are battling it out.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Dero)
