Microsoft address the recent series of attacks negotiating Kubernetes cluster running Kubeflow machine learning (ML) occurrence to set up vicious containers that mine for Monero and Ethereum cryptocurrency.
The attacks had launched towards the last of May when Microsoft protection researchers discovered a rapid increment in TensorFlow machine learning pod setups.
Microsoft Senior Security Researchers Yossi Weizman states that “The explosion of setups on the different clusters was concurrent.” “This shows that the attackers browse those clusters in progress and preserve a list of possible targets, which are later attacked on the same time.”
Monero and Ethereum used Kubernetes cluster for Mining
While the pods were consistent from the official Docker Hub repository, the threat actors changed them to mine for cryptocurrency on negotiated Kubernetes cluster by setting up ML pipelines via the Kubeflow Pipelines platform.
To achieve first access to the cluster and set up the cryptocurrency miners, the threat actor utilizes the Internet-exposed Kubeflow dashboards, which should only be open to local access.
The attacker’s setups at least two partial pods on each of the hacked clusters: one for GPU mining and one for GPU mining. Ethminer is installed to mine Ethereum on the GPU whereas XMRig is used to mine Monero using the CPU.
The vicious pods used in this active campaign are known using the sequential-pipeline-{random pattern} pattern. Weizman addressed “The attack is still active, and Kubernetes clusters that run Kubeflow get negotiated.”
Extension of Past Attacks
This operation follows the same operation from April 2020, which also harmed powerful Kubernetes clusters as part of a large-scale cryptomining operation.
When the threat actors used Kubeflow pipelines to set up ML pipelines, unlike this operation, the April 2020 attacks harm Jupyter notebooks.
Although Microsoft recently discovers some other operations targeting Kubernetes clusters in the previous bursting Internet-exposed services, the April 2020 operation was the initial time when an attack only targets Kubeflow surroundings.
Admins are suggested to always facilitate authentication on Kubeflow dashboards if revealing them on the internet cannot be avoided and observed their surroundings (images, container, and the process they run).
In a similar broadcast, the investigators also transmit the information on Siloscape, (the First ever malware to target Windows container), with the end aim of negotiating and backdooring Kubernetes clusters. Siloscape reveals the negotiated infrastructure to a wider range of vicious pursuit, unlike other malware which targets cloud surroundings that majorly focus on crypto-jacking.
This includes ransomware attack, crucial information theft, data exfiltration and even more highly destructive supply chain attacks which offers the high risk to harm or theft the sensitive information of an individual.
