Experts spotted first-ever crypto mining campaign leveraging Kubernetes RBAC

Pierluigi Paganini April 23, 2023

Experts warn of a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access Control (RBAC).

Cloud security firm Aqua discovered a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run miners. The campaign was tracked as RBAC Buster, the experts reported that the attacks are actively targeting at least 60 clusters in the wild.

“We have recently discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors.” reads the report published by Aqua. “The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack. “

The attack chain starts with initial access via a misconfigured API server, then threat actors sent a few HTTP requests to list secrets and then made two API requests to gain information about the cluster by listing the entities in the ‘kube-system’ namespace.

The attackers check for evidence of competing miner malware on the compromised server and achieve persistence by using RBAC to set up persistence.

Kubernetes RBACA

Aqua analyzed the campaign after having set up K8s honeypots. The researchers explicitly exposed AWS access keys in various locations on the cluster they set up. The researchers noticed that threat actors used the access keys to try and gain further access to the target’s cloud service provider account and obtain access to more resources.

The threat actors created a DaemonSet to deploy containers on all nodes with a single API request. The container image ‘kuberntesio/kube-controller:1.0.1’ is hosted on the public registry Docker Hub.

The experts discovered that the container was pulled 14,399 times since it was uploaded five months ago.

“The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account. It has amassed millions of pulls, despite having only a few dozen container images. ” concludes the report. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”

Please vote for Security Affairs ( as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kubernetes)

you might also like

leave a comment