Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining

    justmattgBy justmattgApril 22, 2023No Comments2 Mins Read

    [ad_1]

    Apr 21, 2023Ravie LakshmananKubernetes / Cryptocurrency

    Kubernetes RBAC

    A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners.

    “The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.

    The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server and then using RBAC to set up persistence.

    “The attacker created a new ClusterRole with near admin-level privileges,” the company said. “Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Lastly, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”

    In the intrusion observed against its K8s honeypots, the attacker attempted to weaponize the exposed AWS access keys to obtain an entrenched foothold into the environment, steal data, and escape the confines of the cluster.

    Kubernetes RBAC

    The final step of the attack entailed the threat actor creating a DaemonSet to deploy a container image hosted on Docker (“kuberntesio/kube-controller:1.0.1”) on all nodes. The container, which has been pulled 14,399 times since its upload five months ago, harbors a cryptocurrency miner.

    UPCOMING WEBINAR

    Zero Trust + Deception: Learn How to Outsmart Attackers!

    Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

    Save My Seat!

    “The container image named ‘kuberntesio/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘kubernetesio’ account,” Aqua said. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”

    Interestingly, some of the tactics described in the campaign bear similarities to another illicit cryptocurrency mining operation that also took advantage of DaemonSets to mint Dero and Monero. It’s currently not clear whether the two sets of attacks are related.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleShadow IT, SaaS Pose Security Liability for Enterprises
    Next Article Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑