Attackers are abusing an attack vector present in one of the
most popular execution engines (Argo Workflows) to repurpose Kubernetes
systems to mine cryptocurrencies. The attack exploits a vulnerability in
the system of permissions of Argo Workflows machines connected to the
internet, deploying malicious workflows that install Monero-based
containers.
Attackers Leveraging Argo Workflows for Crypto Mining
A group of attackers discovered a new attack vector that uses a
vulnerability in the permission system of Argo Workflows, one of the
most used execution engines for Kubernetes, to install cryptocurrency
mining modules in machines connected to the internet. This vulnerability
means that every instance of Kubernetes, one of the most used cloud
computing systems, could be used to mine Monero if it is paired with
Argo Workflows.
A report
from Intezer, a cybersecurity firm, informs they have already
identified infected nodes and others vulnerable to this attack. The
unprotected nodes allow any user to ping them and insert their own
workflows into the system. This means anyone can use the resources in a
vulnerable system and direct them to any task.
Luckily for attackers, there are several Monero-based cryptocurrency
mining containers that can be leveraged easily to start mining Monero
using these Kubernetes machines. Most of them are derived from
kannix/monero-miner, but there are more than 45 other containers
available to use. This is why security experts are anticipating
large-scale attacks involving this vulnerability.
Cloud Computing Vulnerability
This is just one of the recent attack vectors compromising cloud
computing platforms and being used to enable cryptocurrency mining. Just
last month, Microsoft informed of a similar attack that also targeted
Kubernetes clusters with Kubeflow machine learning (ML) instances.
Attackers use the vulnerable nodes to mine monero and also ethereum
using Ethminer.
Attacks to this kind of platform started gaining traction back in April 2020, when Microsoft reported
an instance that caused tens of thousands of infections in just two
hours. These attacks have also prompted companies to switch their
policies to avoid abuse. This is the case of Docker,
which had to put limits to the free tier of its product because
attackers were using its autobuild function to deploy cryptocurrency
miners in its free servers.
source link : https://news.bitcoin.com/kubernetes-clusters-used-to-mine-monero-by-attackers/
