Breaking News

Experts spotted first-ever crypto mining campaign leveraging Kubernetes RBAC

Experts warn of a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access Control (RBAC).

Cloud security firm Aqua discovered a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run miners. The campaign was tracked as RBAC Buster, the experts reported that the attacks are actively targeting at least 60 clusters in the wild.

“We have recently discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors.” reads the report published by Aqua. “The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack. “

The attack chain starts with initial access via a misconfigured API server, then threat actors sent a few HTTP requests to list secrets and then made two API requests to gain information about the cluster by listing the entities in the ‘kube-system’ namespace.

The attackers check for evidence of competing miner malware on the compromised server and achieve persistence by using RBAC to set up persistence.

Aqua analyzed the campaign after having set up K8s honeypots. The researchers explicitly exposed AWS access keys in various locations on the cluster they set up. The researchers noticed that threat actors used the access keys to try and gain further access to the target’s cloud service provider account and obtain access to more resources.

The threat actors created a DaemonSet to deploy containers on all nodes with a single API request. The container image ‘kuberntesio/kube-controller:1.0.1’ is hosted on the public registry Docker Hub.

The experts discovered that the container was pulled 14,399 times since it was uploaded five months ago.

“The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account. It has amassed millions of pulls, despite having only a few dozen container images. ” concludes the report. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kubernetes)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

TP-Link Archer C5400X gaming router is affected by a critical flaw

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.…

10 mins ago

Sav-Rx data breach impacted over 2.8 million individuals

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people…

10 hours ago

The Impact of Remote Work and Cloud Migrations on Security Perimeters

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support…

17 hours ago

New ATM Malware family emerged in the threat landscape

Experts warn of a new ATM malware family that is advertised in the cybercrime underground,…

19 hours ago

A high-severity vulnerability affects Cisco Firepower Management Center

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management…

24 hours ago

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat…

2 days ago

This website uses cookies.