Kubernetes RBAC Exploited in Large Scale Campaign for Cryptocurrency Mining

April 21, 2023Ravie LakshmananKubernetes / Cryptocurrencies

Large-scale attack campaigns found in the wild have exploited Kubernetes Role-Based Access Control (K8s) (RBAC) to create a backdoor and run a cryptocurrency miner.

“The attackers also deployed DaemonSet to take over and hijack the resources of the K8 cluster they attacked,” cloud security firm Aqua said in a statement. report shared with The Hacker News. Israeli company, which dubbed the attack RBAC destroyersaid it had found 60 K8 clusters that had been exploited by the threat actors behind this campaign.

The chain of attack begins with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server and then using RBAC to set up persistence.

“The attacker creates a new ClusterRole with admin level privileges,” the company said. “Next, the attacker creates a ‘ServiceAccount’, ‘kube-controller’ in the ‘kube-system’ namespace. Finally, the attacker creates a ‘ClusterRoleBinding’, binding the ClusterRole with a ServiceAccount to create strong, unobtrusive persistence.”

In the observed intrusion of its K8 honeypots, attackers attempted to weaponize exposed AWS access keys to gain a foothold into the environment, steal data, and break out of the confines of the cluster.

The final step of the attack requires that the threat actor create a DaemonSet to deploy a Docker-hosted container image (“kuberntesio/kube-controller:1.0.1”) on all nodes. The container, which has been recalled 14,399 times since it was uploaded five months ago, houses cryptocurrency miners.

“The container image named ‘kuberntesio/kube-controller’ is a case of a typo impersonating a legitimate ‘kubernetesio’ account,” said Aqua. “The image also mimics the popular ‘kube-controller-manager’ container image, which is a critical component of the control plane, running inside a Pod on each master node, which is responsible for detecting and responding to node failures.”

Interestingly, some of the tactics described in the campaign bear similarities to other illegal cryptocurrency mining operations that also utilize DaemonSet to mint Dero and Monero. It is currently unclear whether the two series of attacks are linked.