Security News > 2023 > March > First-known Dero cryptojacking operation seen targeting Kubernetes
The first known cryptojacking operation mining the Dero coin has been found targeting vulnerable Kubernetes container orchestrator infrastructure with exposed APIs.
The researchers say the attacks start with the threat actors scanning exposed, vulnerable Kubernetes clusters with authentication set to -anonymous-auth=true, allowing anyone anonymous access to the Kubernetes API. After gaining access to the API, the threat actors will deploy a DaemonSet named "Proxy-api" that allows the attackers to engage the resources of all nodes in the cluster simultaneously and mine Dero using the available resources.
The installed miners will be joined to a Dero mining pool, where everyone contributes hashing power and receives shares of any rewards.
The first file initializes the Dero miner with a hardcoded wallet address and mining pool, while the "Pause" binary is the actual coin miner.
Shortly after Crowdstrike discovered the Dero campaign, its analysts detected a Monero cryptojacking operator attempting to hijack the same resources, eventually kicking out the Dero miner.
While cryptojacking campaigns are almost a dime-a-dozen, mining Dero over other privacy coins, such as Monero, makes this a novel campaign.