Share this article on:
Security researchers have discovered a first-of-its-kind campaign targeting poorly configured Kubernetes clusters, using Kubernetes’ own role-based access control (RBAC) to maintain persistence.
Alarmingly, cloud security company Aqua’s experts have found the campaign currently “targeting at least 60 clusters in the wild”.
The attack starts when a threat actor finds a misconfigured API server that will allow “unauthenticated requests from anonymous users with privileges”. The initial stage is basically recon — sending HTTP requests to find out what’s on the cluster, including if any instances of either the attacker’s payload or any competing malware are present and running.
The attacker then deletes any deployments that may be from another campaign, which makes detection less likely, and frees up clock cycles for the incoming cryptominer.
Next, the attackers use RBAC to create persistence by creating a new ClusterRole with “near admin-level privileges”.
“Next, the attacker created a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace,” Aqua’s researchers said in a blog post. “Lastly, the attacker created a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”
“Eventually, by setting this legitimate-looking ClusterRoleBinding ‘system:controller:kube-controller’, the attacker could persist under the radar without setting off any alarms.”
The researchers discovered the attack chain by setting up their Kubernetes honeypot, complete with AWS access keys to be snooped out. On the same day the malicious account was set up, the threat actor found and used those keys to try and seek out further data, and to move laterally beyond the Kubernetes cluster.
After that, the actor then set up a resource-stealing cryptominer, using typosquatting to mimic a popular Kubernetes container image. The attached wallet address already had a total of five Monero (or XMR), with the miner capable of generating a further five XMR within 12 months — and that’s just from a single infection.
The value of Monero fluctuates, but a single XMR is worth $235 at the time of writing. Monero is a popular cryptocurrency thanks to its low transaction fees and greater anonymity, making it perfect for dark web purchases.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.