Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows

Attackers are actively harming misconfigured Argo Workflows instances to set up cryptocurrency miners on Kubernetes (K8s) clusters. Kubernetes is an open-source system that permits to automatization of the set upscaling, and handling of containerized workloads, services, and applications over clusters of hosts.

Argo Workflows is one of the most well-known workflow execution engines for Kubernetes, designed to orchestrate parallel jobs for speeding up machine learning or data processing computing-intensive jobs on Kubernetes clusters.

New Attack Vector already Utilized in the Wild

“Threat actors are already taking advantage of this vector as we examined operators dropping cryptominers using this method in the wild.” Intezer security investigators Ryan Robinson and Nicole Fishbein revealed in a report posted earlier this week. Attackers gain access to such clusters via Internet-exposed Argo dashboards and set up their malicious workflows using various Monero miner containers, including kannix/monero-minner, a defunct container that mines for Monero using the XMRig CPU/GPU miner.

While kannix/monero-miner is no longer available on Docker Hub, attackers can pick from a few dozens of other containers that do the same job: mining Monero cryptocurrency using the CPU or the GPU. The investigators added that broader-scale attacks should be expected, given that hundreds of Argo Workflows setups with the wrong permissions are revealed to Internet access.

The two security investigators were able to address exposed Argo Workflows instances belonging to organizations from numerous industry sectors, including technology, logistics, and finance. Admins are suggested to always enable authentication on Argo Workflows dashboards if they can’t avoid disclosing on the Internet, and to monitor their surroundings (containers, images, and the processes they run) for vulnerable activity.


More Kubernetes Attack Directions

Misconfigured Argo Workflows instances are the recently observed attack vector, with attackers previously scanning for and harming other security holes to breach Kubernetes clusters.

For instance, last month, Microsoft alerted that the cryptomining group was targeting machine learning (ML) frameworks running on Kubernetes clusters using Internet-exposed Kubeflow dashboards. The threat actors utilized Kubeflow Pipelines to set up ML pipelines running XMRig and Ethminer cryptocurrency miners for CPU and GPU cryptomining.

One year before, in April 2020, Microsoft founded another large-scale cryptomining operation attempting to hijack Kubernetes clusters utilized for resource-hungry machine learning computing tasks by harming Jupyter notebooks.

In June, Unit 42 investigators also founded Siloscape, the first Trojan to target Windows containers with the end goal of backdooring Kubernetes clusters. Unlike other malware that address cloud environments and mainly focuses on crypto hijacking, Siloscape reveals the negotiated servers to a broader range of malicious pursuits, which includes ransomware attacks, passwords hijacking, data exfil, and even supply chain attacks.

Leave a Reply