Security News > 2021 > July > Attackers deploy cryptominers on Kubernetes clusters via Argo Workflows
Threat actors are abusing misconfigured Argo Workflows instances to deploy cryptocurrency miners on Kubernetes clusters.
Argo Workflows is the most popular workflow execution engine for Kubernetes, designed to orchestrate parallel jobs for speeding up machine learning or data processing computing-intensive jobs on Kubernetes clusters.
Threat actors gain access to such clusters via Internet-exposed Argo dashboards and deploy their own malicious workflows using various Monero miner containers, including kannix/monero-miner, a defunct container that mines for Monero using the XMRig CPU/GPU miner.
While kannix/monero-miner is no longer available on Docker Hub, attackers can pick from a few dozens of other containers that do the same job: mining Monero cryptocurrency using the CPU or the GPU. The researchers added that broader-scale attacks should be expected, given that hundreds of Argo Workflows deployments with the wrong permissions are exposed to Internet access.
Misconfigured Argo Workflows instances are the latest observed attack vector, with threat actors previously scanning for and abusing other security holes to breach Kubernetes clusters.
Last month, Microsoft warned that cryptomining gangs were targeting machine learning infrastructure running on Kubernetes clusters via Internet-exposed Kubeflow dashboards.