Malicious Mining Campaign Targets Improperly Configured Kubernetes Clusters
A group of cybersecurity experts have cautioned about an active malicious mining campaign that focuses on improperly configured Kubernetes clusters to mine Dero cryptocurrency.
The revelation came from cloud security company Wiz, identifying it as a revised version of a financially driven scheme that was initially reported by CrowdStrike in March 2023.
“The attackers exploited anonymous access to a publicly available cluster to deploy malicious container images sourced from Docker Hub, some of them garnering over 10,000 pulls,” mentioned the Wiz researchers Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski in a published statement. “These container images include a compressed DERO miner labeled ‘pause.’
The initial breach capitalizes on vulnerable externally reachable Kubernetes API servers with open anonymous authentication to distribute the miner payloads.
Unlike the previous version from 2023 that utilized a Kubernetes DaemonSet named “proxy-api,” the latest iteration employs seemingly harmless DaemonSets named “k8s-device-plugin” and “pytorch-container” to eventually execute the miner on all the nodes within the cluster.
Furthermore, the choice of naming the container as “pause” is a tactic to masquerade as the legitimate “pause” container used for initializing a pod and maintaining network segregation.
The cryptocurrency miner is a publicly available binary programmed in Go that has been altered to embed the wallet address and custom Dero mining pool URLs permanently. It’s also made obscure by utilizing the open-source UPX packer to resist detection attempts.
The concept behind embedding the mining setup in the code is to facilitate running the miner without exposing traditional command-line arguments that are usually scrutinized by security tools.
Wiz revealed that they uncovered additional tools crafted by the malicious actors, including a Windows version of a compressed Dero miner using UPX as well as a dropper shell script engineered to shut down competing miners on a compromised host and install GMiner from GitHub.
“The attackers registered domains with harmless names to fly under the radar and blend in with legitimate web traffic, while concealing interactions with recognized mining pools,” remarked the researchers.
“Through these combined strategies, the attackers demonstrate their adaptability in evolving their techniques to outsmart defenders.”
About Author
