Security News > 2023 > March > New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023.
"The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The Hacker News.
The attacks, attributed to an unknown financially motivated actor, commence with scanning for Kubernetes clusters with authentication set as -anonymous-auth=true, which allows anonymous requests to the server, to drop initial payloads from three different U.S.-based IP addresses.
This includes deploying a Kubernetes DaemonSet named "Proxy-api," which, in turn, is used to drop a malicious pod on each node of the Kubernetes cluster to kick-start the mining activity.
"In a legitimate Kubernetes deployment, 'pause' containers are used by Kubernetes to bootstrap a pod," the company noted.
The cybersecurity company said it identified a parallel Monero-mining campaign also targeting exposed Kubernetes clusters by attempting to delete the existing "Proxy-api" DaemonSet associated with the Dero campaign.
News URL
https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html