Cyber security researchers at Crowdstrike have discovered the first-ever crypto jacking campaign targeting Kubernetes infrastructure and involving the Dero cryptocurrency minting.
“Dero’s new crypto-jacking operation focuses on placing Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the Internet.”
Omnia to pass
The attack is pursued by financially monitored actors performing:
- Kubelet authorization, allows different information packets to be sent on the server to open all requests anonymously.
- Daemonset to ensure that all nodes run a copy of a Pod.
- DaemonSet’s YAML file to orchestrate to run a Docker image that contains a “pause” binary, which is the Dero coin miner.
“In a legitimate Kubernetes deployment, ‘pause’ containers are used by Kubernetes to bootstrap a pod,” the company noted. “Attackers may have used this name to blend in to avoid obvious detection.”
Workaround to prevent Kubernetes attacks
To protect against Kubernetes attacks, it is important to follow security best practices such as:
- Keeping Kubernetes components up-to-date with the latest security patches and updates.
- Limiting access to the Kubernetes control plane and workloads to authorized users and applications.
- Implementing strong authentication and authorization controls, such as multi-factor authentication, RBAC, and network policies.
- Securing container images and workloads with best practices such as using a trusted image registry, scanning images for vulnerabilities, and applying resource limits.
- Monitoring Kubernetes clusters for suspicious activity using tools such as Kubernetes audit logs, network traffic analysis, and intrusion detection systems.
“As Kubernetes has become the most popular container orchestrator in the world, attackers have opportunistically targeted Kubernetes and Docker misconfigurations, design weaknesses, and zero-day vulnerabilities,” the researchers conclude.
Paradigm shift to safety
With advancements in crimes, there is a need to change the approach toward security. An adversary-focused approach to cloud security that stops attackers from exploiting modern enterprise cloud environments is very important to deploy in organizations.
Also, combining agent-based and agentless protection in a single, unified platform experience with integrated threat intelligence has become essential. This is how comprehensive visibility, detection, and remediation to secure cloud workloads can be maintained.