New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

2023-03-15 10:11

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023.

"The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The Hacker News.

The attacks, attributed to an unknown financially motivated actor, commence with scanning for Kubernetes clusters with authentication set as -anonymous-auth=true, which allows anonymous requests to the server, to drop initial payloads from three different U.S.-based IP addresses.

This includes deploying a Kubernetes DaemonSet named "Proxy-api," which, in turn, is used to drop a malicious pod on each node of the Kubernetes cluster to kick-start the mining activity.

"In a legitimate Kubernetes deployment, 'pause' containers are used by Kubernetes to bootstrap a pod," the company noted.

The cybersecurity company said it identified a parallel Monero-mining campaign also targeting exposed Kubernetes clusters by attempting to delete the existing "Proxy-api" DaemonSet associated with the Dero campaign.

News URL

https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html

#cryptojacking #kubernetes #mining

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Kubernetes		19	12	49	24	6	91