First Dero cryptojacking campaign targets unprotected Kubernetes instances

2023-03-20 12:20

With this cryptojacking attack, the threat actor scans for Kubernetes instances with the authentication parameter set as "-anonymous-auth=true".

As stated by CrowdStrike researchers Benjamin Grap and Manoj Ahuje, "a user with sufficient privileges who runs 'kubectl proxy' can unintentionally expose a secure Kubernetes API on the host where kubectl is running, which is a less obvious way to expose the secure Kubernetes cluster bypassing authentication."

Once a vulnerable Kubernetes cluster is found, the threat actor deploys a Kubernetes DaemonSet named "Proxy-api." That action deploys a malicious pod on every node of the cluster, enabling the attacker to run cryptojacking on all nodes from the cluster at the same time.

Attackers have probably named the miner "Pause" because pause containers in legitimate Kubernetes instances are used to bootstrap pods.

The new campaign started by deleting existing Kubernetes DaemonSets named "Proxy-api," which was specific to the Dero cryptojacking campaign.

From there, enable logging and monitor activity on all Kubernetes instances in order to detect suspicious activity or access attempts.

News URL

https://www.techrepublic.com/article/dero-cryptojacking-targets-kubernetes/

#cryptojacking #kubernetes

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Kubernetes		19	12	49	24	6	91