Saturday, July 13, 2024

Hackers Attack Kubernetes Cluster to Deploy Crypto-Miners

The cybersecurity experts at Intezer have recently detected a cyberattack, and soon after detecting they have warned that the threat actors of this attack are using the Argo Workflows engine to start attacks on Kubernetes clusters to easily deploy crypto miners.

After detecting the cyberattack, the researchers started their deep investigation, and they found a number of vulnerable receptacles which are specifically used by organizations that deal with the following sectors:-

  • Technology sector
  • Financial sector
  • Logistics sector

Hackers abused Argo

Argo Workflows is an open-source containerized workflow engine that generally serves with Kubernetes, and it enables users to efficiently control parallel jobs from a convenient interface.

Nowadays the threat actors are targetting Argo because it keeps a huge number of users connected. Argo Workflows utilizes YAML files to determine the type of work that is to be performed.

According to the experts of Interzer report, whenever the permissions are misconfigured then it becomes a convenient opportunity for the threat actors and they easily utilize this chance to get access to an open Argo dashboard and implement their own workflow. 

However, during the investigation, it also came out that the threat actors of this attack have also deployed a popular cryptocurrency mining container, kannix/monero miner.

A new attack vector that is already used in the wild

The threat actors are already taking advantage of the new vector, and it has also been detected that several operators are dropping crypto miners and are using this attack vector.

However, the experts claim that the hackers easily gain access to this kind of cluster through Internet-exposed Argo dashboards. 

Once they gain access, soon they deploy their own malicious workflows simply by using different Monero miner containers, which also involves kannix/monero-miner, a deceased container that generally mines Monero utilizing the XMRig CPU/GPU miner.

Mitigation Proposal

The analysts of Intezer pronounced that if any users want to check whether they are misconfigured or not, well in that case they simply try accessing the Argo Workflows dashboard from any unauthenticated incognito browser that is present outside the corporate setting.

Apart from this, there is another way to check, that is to put a query the API of the user instance and verify the status code. There is no specific method that will help to bypass this kind of attack, but the experts have asserted that methodologies like the principle of least privilege (PoLP) should be embraced.

Moreover, users always refer to the application documentation if they desire to have best practices on security. While apart from all these things, the security researchers are trying their best to find all the details of this attack as well as some strong reliable mitigation.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles