Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining

2023-04-21 13:26

A large-scale attack campaign discovered in the wild has been exploiting Kubernetes Role-Based Access Control to create backdoors and run cryptocurrency miners.

The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.

The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server and then using RBAC to set up persistence.

"The attacker created a new ClusterRole with near admin-level privileges," the company said.

In the intrusion observed against its K8s honeypots, the attacker attempted to weaponize the exposed AWS access keys to obtain an entrenched foothold into the environment, steal data, and escape the confines of the cluster.

The final step of the attack entailed the threat actor creating a DaemonSet to deploy a container image hosted on Docker on all nodes.

News URL

https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html

#cryptocurrency #kubernetes #mining

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Kubernetes		18	12	49	23	5	89

News URL

Related news

Related vendor