Thursday, April 18, 2024

Hackers Attack Kubernetes Cluster to Deploy Crypto-Miners

The cybersecurity experts at Intezer have recently detected a cyberattack, and soon after detecting they have warned that the threat actors of this attack are using the Argo Workflows engine to start attacks on Kubernetes clusters to easily deploy crypto miners.

After detecting the cyberattack, the researchers started their deep investigation, and they found a number of vulnerable receptacles which are specifically used by organizations that deal with the following sectors:-

  • Technology sector
  • Financial sector
  • Logistics sector

Hackers abused Argo

Argo Workflows is an open-source containerized workflow engine that generally serves with Kubernetes, and it enables users to efficiently control parallel jobs from a convenient interface.

Nowadays the threat actors are targetting Argo because it keeps a huge number of users connected. Argo Workflows utilizes YAML files to determine the type of work that is to be performed.

According to the experts of Interzer report, whenever the permissions are misconfigured then it becomes a convenient opportunity for the threat actors and they easily utilize this chance to get access to an open Argo dashboard and implement their own workflow. 

However, during the investigation, it also came out that the threat actors of this attack have also deployed a popular cryptocurrency mining container, kannix/monero miner.

A new attack vector that is already used in the wild

The threat actors are already taking advantage of the new vector, and it has also been detected that several operators are dropping crypto miners and are using this attack vector.

However, the experts claim that the hackers easily gain access to this kind of cluster through Internet-exposed Argo dashboards. 

Once they gain access, soon they deploy their own malicious workflows simply by using different Monero miner containers, which also involves kannix/monero-miner, a deceased container that generally mines Monero utilizing the XMRig CPU/GPU miner.

Mitigation Proposal

The analysts of Intezer pronounced that if any users want to check whether they are misconfigured or not, well in that case they simply try accessing the Argo Workflows dashboard from any unauthenticated incognito browser that is present outside the corporate setting.

Apart from this, there is another way to check, that is to put a query the API of the user instance and verify the status code. There is no specific method that will help to bypass this kind of attack, but the experts have asserted that methodologies like the principle of least privilege (PoLP) should be embraced.

Moreover, users always refer to the application documentation if they desire to have best practices on security. While apart from all these things, the security researchers are trying their best to find all the details of this attack as well as some strong reliable mitigation.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles