Threat Actors Deploying Cryptominers
A hacking campaign is targeting Kubernetes environments using misconfigured Argo Workflows to deploy cryptominers, according to a report by the security firm Intezer.
Argo Workflows is an open source application that defines a sequence of tasks in Kubernetes, one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.
Intezer researchers note that the flaw arises from a misconfiguration vulnerability in Agro Workflows that gives threat actors the ability to run unauthorized code on the victim’s environment.
Attackers are exploiting the flaw to deploy XMRig to mine for monero cryptocurrency, according to Intezer. Researchers identified one attack in the wild involving a Kubernetes cluster that’s been running for the past nine months.
“In instances when permissions are misconfigured, it is possible for an attacker to access an open Argo dashboard and submit their own workflow. In one cluster, we noticed that a popular cryptocurrency mining container, kannix/monero-miner, was being deployed,” the report notes. “Its ease of use allowed it to be conveniently used by threat actors of any skill level to conduct cryptojacking; since all that was required was to change the address of who the mined cryptocurrency would be deposited to.”
Risk of Exposed Modes
A 2020 report by the Cloud Native Computing Foundation found that 91% of its respondents used Kubernetes; this was a sharp rise from 78% in 2019 and 58% in 2018.
Because the Intezer researchers were able to identify several unprotected Agro Workflows nodes, a potential compromise of the system could have a far-reaching impact on Kubernetes users as it can leak a host of sensitive information.
“While studying the impact of exposed Argo Workflows instances, we discovered a number of unprotected instances, operated by companies in several industries including technology, finance and logistics,” the report notes. “Exposed instances can contain sensitive information such as code, credentials and private container image names. We also discovered that in many instances, permissions are configured which allow any visiting user to deploy workflows.”
Kubernetes, which is developed and backed by Google, has been extensively targeted by threat actors as part of cryptojacking and other malicious campaigns.
For instance, in June, researchers at Palo Alto Networks’ Unit 42 reported on a TeamTNT campaign that targeted Kubernetes clusters and created new malware called Black-T that integrated with open-source cloud-native tools to assist in their cryptojacking operations (see: TeamTNT Reportedly Eyes Credentials of AWS, Google Cloud).
Another report by Unit 42 uncovered a malware variant that targeted poorly protected or misconfigured Windows containers to access Kubernetes clusters (see: Siloscape Malware Reportedly Targeting Windows Containers).