Contents:
The attacks on the Kubernetes clusters are running Kubeflow machine learning (ML) instances in an attempt to deploy malicious containers used to execute cryptomining for Monero and Ethereum cryptocurrency.
It looks like the attack started to take place towards the end of May with Microsoft security researchers observing a sudden increase in the TensorFlow machine learning pod deployments.
The burst of deployments on the various clusters was simultaneous.
This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked at the same time.
Attackers are Mining for Monero and Ethereum
It’s known that the pods were legitimate from the official Docker Hub repository, but it seems that the attackers have modified them in order to mine for cryptocurrency on compromised Kubernetes clusters by deploying ML pipelines using the Kubeflow Pipelines platform.
In order to gain initial access to the clusters and therefore deploy the cryptocurrency miners, the attackers are using the Internet-exposed Kubeflow dashboards, which should only be accessible to local access, then the threat actors deploy two separate pods on each of the hacked clusters: one for CPU mining and one for GPU mining.
What Pods are Being Used?
The attackers are using a minimum of two pods, XMRig and Ethminer.
XMRig is a high-performance, open-source, cross-platform RandomX, KawPow, CryptoNight, and AstroBWT unified CPU/GPU miner and RandomX benchmark that can be configured through the JSON config file.
Ethminer is an Ethash GPU mining worker, allowing the mine of every coin which relies on an Ethash Proof of Work thus including Ethereum, Ethereum Classic, Metaverse, Musicoin, Ellaism, Pirl, Expanse, and others.
XMRig is being used to mine Monero using the CPU, while Ethminer is installed to mine Ethereum on the GPU.
The malicious pods used in this active campaign are named using the sequential-pipeline-{random pattern} pattern.
This specific campaign is coming soon after a similar one that took place in April last year, which also abused powerful Kubernetes clusters as part of a large-scale cryptomining campaign.
Back in 2020, the attackers used Kubeflow Pipelines to deploy ML pipelines, and even if Microsoft managed to detect several other campaigns targeting Kubernetes clusters in the past exploiting Internet-exposed services, the campaign from April 2020 was the first time when an attack specifically targeted Kubeflow environments.
Admins were advised to constantly enable authentication on the Kubeflow dashboards if they are exposing them to the Internet and to constantly monitor the environments (containers, images, and the processes they run).
The researchers from Unit 42 also shared important information on Siloscape, the first-ever malware that is targeting Windows containers, with the end goal of compromising and backdooring Kubernetes clusters, and that, unlike other malware that is primarily focused on cryptojacking.
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Siloscape is meant to expose the compromised infrastructure to a broader range of malicious pursuits like ransomware attacks, credential theft, data exfiltration, and even highly disastrous supply chain attacks.