{"id":2620,"date":"2021-07-24T18:19:58","date_gmt":"2021-07-24T12:49:58","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2620"},"modified":"2021-07-24T18:20:00","modified_gmt":"2021-07-24T12:50:00","slug":"threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/","title":{"rendered":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">Attackers are actively harming misconfigured Argo Workflows instances to set up cryptocurrency miners on Kubernetes (K8s) clusters. Kubernetes is an open-source system that permits to automatization of the set upscaling, and handling of containerized workloads, services, and applications over clusters of hosts.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Argo Workflows is one of the most well-known workflow execution engines for Kubernetes, designed to orchestrate parallel jobs for speeding up machine learning or data processing computing-intensive jobs on Kubernetes clusters.<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>New Attack Vector already Utilized in the Wild<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cThreat actors are already taking advantage of this vector as we examined operators dropping cryptominers using this method in the wild.\u201d Intezer security investigators Ryan Robinson and Nicole Fishbein revealed in a report posted earlier this week. Attackers gain access to such clusters via Internet-exposed Argo dashboards and set up their malicious workflows using various Monero miner containers, including kannix\/monero-minner, a defunct container that mines for Monero using the XMRig CPU\/GPU miner.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">While kannix\/monero-miner is no longer available on Docker Hub, attackers can pick from a few dozens of other containers that do the same job: mining Monero cryptocurrency using the CPU or the GPU. The investigators added that broader-scale attacks should be expected, given that hundreds of Argo Workflows setups with the wrong permissions are revealed to Internet access.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The two security investigators were able to address exposed Argo Workflows instances belonging to organizations from numerous industry sectors, including technology, logistics, and finance. Admins are suggested to always enable authentication on Argo Workflows dashboards if they can\u2019t avoid disclosing on the Internet, and to monitor their surroundings (containers, images, and the processes they run) for vulnerable activity.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"418\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1-1024x418.png\" alt=\"Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1\" class=\"wp-image-2623\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1-1024x418.png 1024w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1-300x122.png 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1-768x313.png 768w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1-1536x627.png 1536w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-image1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>More Kubernetes Attack Directions<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">Misconfigured Argo Workflows instances are the recently observed attack vector, with attackers previously scanning for and harming other security holes to breach Kubernetes clusters.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">For instance, last month, Microsoft alerted that the cryptomining group was targeting machine learning (ML) frameworks running on Kubernetes clusters using Internet-exposed Kubeflow dashboards. The threat actors utilized Kubeflow Pipelines to set up ML pipelines running XMRig and Ethminer cryptocurrency miners for CPU and GPU cryptomining.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">One year before, in April 2020, Microsoft founded another large-scale cryptomining operation attempting to hijack Kubernetes clusters utilized for resource-hungry machine learning computing tasks by harming Jupyter notebooks.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">In June, Unit 42 investigators also founded Siloscape, the first Trojan to target Windows containers with the end goal of backdooring Kubernetes clusters. Unlike other malware that address cloud environments and mainly focuses on crypto hijacking, Siloscape reveals the negotiated servers to a broader range of malicious pursuits, which includes ransomware attacks, passwords hijacking, data exfil, and even supply chain attacks.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers are actively harming misconfigured Argo Workflows instances to set up cryptocurrency miners on Kubernetes (K8s) clusters. Kubernetes is an open-source system that permits to automatization of the set upscaling, and handling of containerized workloads, services, and applications over clusters of hosts. Argo Workflows is one of the most well-known workflow execution engines for Kubernetes, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2622,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Attackers are actively harming misconfigured Argo Workflows instances to set up cryptocurrency miners on Kubernetes (K8s) clusters. Kubernetes is an open-source system that permits to automatization of the set upscaling, and handling of containerized workloads, services, and applications over clusters of hosts. Argo Workflows is one of the most well-known workflow execution engines for Kubernetes, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-24T12:49:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-24T12:50:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows\",\"datePublished\":\"2021-07-24T12:49:58+00:00\",\"dateModified\":\"2021-07-24T12:50:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\"},\"wordCount\":446,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\",\"url\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\",\"name\":\"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-24T12:49:58+00:00\",\"dateModified\":\"2021-07-24T12:50:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/","og_locale":"en_US","og_type":"article","og_title":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited","og_description":"Attackers are actively harming misconfigured Argo Workflows instances to set up cryptocurrency miners on Kubernetes (K8s) clusters. Kubernetes is an open-source system that permits to automatization of the set upscaling, and handling of containerized workloads, services, and applications over clusters of hosts. Argo Workflows is one of the most well-known workflow execution engines for Kubernetes, [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-24T12:49:58+00:00","article_modified_time":"2021-07-24T12:50:00+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Threat-Actors-Set-up-Cryptominers-on-Kubernetes-cluster-via-Argo-Workflows-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows","datePublished":"2021-07-24T12:49:58+00:00","dateModified":"2021-07-24T12:50:00+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/"},"wordCount":446,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/","url":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/","name":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-24T12:49:58+00:00","dateModified":"2021-07-24T12:50:00+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/threat-actors-set-up-cryptominers-on-kubernetes-cluster-via-argo-workflows\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Threat Actors Set up Cryptominers on Kubernetes cluster via Argo Workflows"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2620"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2620"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2620\/revisions"}],"predecessor-version":[{"id":2624,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2620\/revisions\/2624"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2622"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}