Security News > 2023 > April > Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining

Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining
2023-04-21 13:26

A large-scale attack campaign discovered in the wild has been exploiting Kubernetes Role-Based Access Control to create backdoors and run cryptocurrency miners.

The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.

The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server and then using RBAC to set up persistence.

"The attacker created a new ClusterRole with near admin-level privileges," the company said.

In the intrusion observed against its K8s honeypots, the attacker attempted to weaponize the exposed AWS access keys to obtain an entrenched foothold into the environment, steal data, and escape the confines of the cluster.

The final step of the attack entailed the threat actor creating a DaemonSet to deploy a container image hosted on Docker on all nodes.


News URL

https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Kubernetes 19 5 45 34 8 92