New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

1 year ago AndyC

Mar
15,
2023Ravie
LakshmananServer
Security
/
Cryptocurrency

Cybersecurity
researchers
have
discovered
the
first-ever
illicit
cryptocurrency
mining
campaign
used
to
mint
Dero
since
the
start
of
February
2023.

New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining



Mar
15,
2023Ravie
LakshmananServer
Security
/
Cryptocurrency


New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

Cybersecurity
researchers
have
discovered
the
first-ever
illicit
cryptocurrency
mining
campaign
used
to
mint
Dero
since
the
start
of
February
2023.

“The
novel
Dero
cryptojacking
operation
concentrates
on
locating
Kubernetes
clusters
with
anonymous
access
enabled
on
a
Kubernetes
API
and
listening
on
non-standard
ports
accessible
from
the
internet,”
CrowdStrike

said
in
a
new
report
shared
with
The
Hacker
News.

The
development
marks
a
notable
shift
from
Monero,
which
is
a
prevalent
cryptocurrency
used
in
such
campaigns.
It’s
suspected
it
may
have
to
do
with
the
fact
that

Dero
“offers
larger
rewards
and
provides
the
same
or
better
anonymizing
features.”

The
attacks,
attributed
to
an
unknown
financially
motivated
actor,
commence
with
scanning
for
Kubernetes
clusters
with
authentication
set
as

–anonymous-auth=true,
which
allows
anonymous
requests
to
the
server,
to
drop
initial
payloads
from
three
different
U.S.-based
IP
addresses.

This
includes
deploying
a
Kubernetes

DaemonSet
named
“proxy-api,”
which,
in
turn,
is
used
to
drop
a
malicious
pod
on
each
node
of
the
Kubernetes
cluster
to
kick-start
the
mining
activity.


Cryptojacking Operation

To
that
end,
the
DaemonSet’s
YAML
file
is
orchestrated
to
run
a
Docker
image
that
contains
a
“pause”
binary,
which
is
actually
the

Dero
coin
miner.

“In
a
legitimate
Kubernetes
deployment,
‘pause’
containers
are
used
by
Kubernetes
to
bootstrap
a
pod,”
the
company
noted.
“Attackers
may
have
used
this
name
to
blend
in
to
avoid
obvious
detection.”


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

The
cybersecurity
company
said
it
identified
a
parallel
Monero-mining
campaign
also
targeting
exposed
Kubernetes
clusters
by
attempting
to
delete
the
existing
“proxy-api”
DaemonSet
associated
with
the
Dero
campaign.

This
is
an
indication
of
the

ongoing
tussle
between
cryptojacking
groups
that
are
vying
for
cloud
resources
to
take
and
retain
control
of
the
machines
and
consume
all
of
its
resources.

“Both
campaigns
are
trying
to
find
undiscovered
Kubernetes
attack
surfaces
and
are
battling
it
out,”
CrowdStrike
threat
researchers
Benjamin
Grap
and
Manoj
Ahuje
said.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

3 hours ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

21 hours ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

21 hours ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

3 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

3 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

3 days ago AndyC

You may have missed

La UE avanza hacia la regulación del consumo de energía y agua en los centros de datos

La UE avanza hacia la regulación del consumo de energía y agua en los centros de datos

12 mins ago AndyC
10 projects top of mind for IT leaders today

10 projects top of mind for IT leaders today

12 mins ago AndyC
Assembly required: 8 myths about knowledge management debunked

Assembly required: 8 myths about knowledge management debunked

12 mins ago AndyC
SAP customers see S/4HANA and AI as top digital transformation drivers

SAP customers see S/4HANA and AI as top digital transformation drivers

12 mins ago AndyC
Chrome vs. Edge: Which browser is better for business?

Chrome vs. Edge: Which browser is better for business?

13 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.