HQ/EMEAFind out how we can help your business
Researchers spotted the first malicious cryptocurrency mining campaign that targets Kubernetes clusters to mine Dero. The operation allegedly started last month.
The sophisticated Dero cryptojacking operation focuses on identifying Kubernetes clusters with anonymous access activated on a Kubernetes API. Moreover, the attack listens on non-standard ports accessible from the internet.
This recent development in cryptocurrency mining shows how threat actors shift from Monero despite being the most prevalent cryptocurrency platform that suffers attacks. Analysts claimed that Dero offers more significant rewards and gives better anonymising features than Monero.
The operators of the new cryptomining attack that uses Kubernetes clusters are currently unknown.
According to investigations, the new cryptojacking attacks are from an unknown group of financially motivated actors. The campaign starts by scanning for Kubernetes clusters with authentication set as “—anonymous-auth=true”, which enables the threat actors to conduct anonymous requests to the server.
Subsequently, the actors could request to drop initial payloads from three different United States-based IP addresses.
This campaign includes the deployment of the Kubernetes Daemonset called “proxy-API,” which the actors use to drop malicious pods on each node of the Kubernetes cluster to initiate the mining operation.
The financially motivated actors also orchestrate the DaemonSet’s YAML file to operate a Docker image that includes a pause binary, which is, in reality, the Dero coin miner.
Cybersecurity experts noted that a user used the pause containers by Kubernetes to bootstrap a pod in a legitimate Kubernetes deployment. Hence, the attackers might have utilised this name to camouflage within the target to bypass security detections.
A separate researcher also claimed that it spotted a similar Monero-mining operation that targets exposed Kubernetes clusters by trying to remove the existing proxy-API DaemonSet linked with the Dero cryptojacking operation.
These recent events expose the ongoing conflict between cryptojacking groups fighting for position on cloud resources since they need to take and retain control of targeted machines and steal all their funds.
Researchers should note and study the behaviour and nature of these attacks since more and more threat actors will upgrade their mechanics to take down their competitors.
