HQ/EMEAFind out how we can help your business
Malicious entities have executed a massive cybercriminal campaign that uses the Kubernetes RBAC (Role-Based Access Control) to generate backdoors and operates crypto miners. Moreover, the threat actors launched DaemonSets to hijack and control the resources of the clusters they infected.
An Israeli company that monitors the Kubernetes attacks claimed it discovered about 60 exposed K8s clusters that the actors have already exploited in this ongoing campaign.
The Kubernetes RBAC commences after the actors obtain access through a poorly configured server.
According to investigations, the Kubernetes RBAC attack chain starts with the threat actors acquiring initial access via misconfigured API server. Subsequently, the attackers scan for evidence of other miner malware on the infected server and then use the RBAC to establish persistence.
Researchers believe the actors behind these attacks developed a new ClusterRole feature with admin-level privileges. The attackers have also generated a ServiceAccount and kube-controller in the system namespace.
The adversaries create a ClusterRoleBinding that binds the ClusterRole with the ServiceAccount to develop a strong persistence on a targeted system.
Based on reports, the attackers tried to weaponise the publicly available AWS access keys to acquire a foothold into the infrastructure, steal data, and escape the confines of the cluster during the intrusion process against the K8s clusters.
The last process of the attack is that the threat actors create a DaemonSet to launch a container image hosted on Docker on all nodes. The container keeps a cryptocurrency miner that could damage a targeted system.
Experts explained that the container image has a label named ‘kuberntesio/kube-controller,’ a typosquatted code impersonating a legitimate account. The image also spoofs the widely used kube-controller-manager container image, an essential part of the control plane, operating within a Pod on every controller node, in charge of detecting and aiding node failures.
Some experts believe that the tactics used by the actors in this new campaign have overlapped with another crypto mining operation that exploits the DaemonSets to mine Monero and Dero. However, there is no confirmation if the two cryptomining campaigns have an affiliation with each other.
