Microsoft warns of mining attacks on Kubernetes clusters

attacks on Kubernetes clusters

Microsoft has warned of ongoing attacks on Kubernetes clusters running Kubeflow (an open source project that allows running super powerful machine learning computing on top of Kubernetes clusters).

Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies.

Researchers say the attacks appear to be a continuation of a campaign that was discovered last April. Although that campaign peaked in June and then dwindled, new attacks began in late May 2021 when researchers noticed a sudden increase in deployments of the open source machine learning library TensorFlow, adapted for mining.

This is not the first time we see attackers use legitimate images for running their malicious code. Particularly in this case, the existence of TensorFlow images in the cluster makes a lot of sense: It’s not uncommon to find TensorFlow containers in a ML workload. If the images in the cluster are monitored, usage of legitimate image can prevent attackers from being discovered.Report Microsoft researchers.

In this case, deployments in different clusters occurred simultaneously.

The burst of deployments on the various clusters was simultaneous. This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked on the same time.specialists write.

Although the pods used by the hackers were taken from the official Docker Hub repository, they were modified to mine cryptocurrency. At the same time, all pods are named according to the sequential-pipeline-{random pattern} pattern, which now makes it quite easy to detect possible compromises.

attacks on Kubernetes clusters

According to the company, in order to gain access to clusters and deploy miners to them, attackers search the network for incorrectly configured and publicly available Kubeflow dashboards that should be open only for local access.

Attackers deploy at least two separate modules on each of the compromised clusters: one for CPU mining and the other for GPU mining. So, XMRig is used to mine Monero using a CPU, and Ethminer is used to mine Ethereum on a GPU.

Microsoft recommends that administrators always enable authentication on Kubeflow dashboards if they cannot be isolated from the internet and control their environments (containers, images, and the processes they run).

Let me remind you that I wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *