Thursday, March 28, 2024

Hackers Attack Kubernetes Cluster to Deploy Crypto-Miners

The cybersecurity experts at Intezer have recently detected a cyberattack, and soon after detecting they have warned that the threat actors of this attack are using the Argo Workflows engine to start attacks on Kubernetes clusters to easily deploy crypto miners.

After detecting the cyberattack, the researchers started their deep investigation, and they found a number of vulnerable receptacles which are specifically used by organizations that deal with the following sectors:-

  • Technology sector
  • Financial sector
  • Logistics sector

Hackers abused Argo

Argo Workflows is an open-source containerized workflow engine that generally serves with Kubernetes, and it enables users to efficiently control parallel jobs from a convenient interface.

Nowadays the threat actors are targetting Argo because it keeps a huge number of users connected. Argo Workflows utilizes YAML files to determine the type of work that is to be performed.

According to the experts of Interzer report, whenever the permissions are misconfigured then it becomes a convenient opportunity for the threat actors and they easily utilize this chance to get access to an open Argo dashboard and implement their own workflow. 

However, during the investigation, it also came out that the threat actors of this attack have also deployed a popular cryptocurrency mining container, kannix/monero miner.

A new attack vector that is already used in the wild

The threat actors are already taking advantage of the new vector, and it has also been detected that several operators are dropping crypto miners and are using this attack vector.

However, the experts claim that the hackers easily gain access to this kind of cluster through Internet-exposed Argo dashboards. 

Once they gain access, soon they deploy their own malicious workflows simply by using different Monero miner containers, which also involves kannix/monero-miner, a deceased container that generally mines Monero utilizing the XMRig CPU/GPU miner.

Mitigation Proposal

The analysts of Intezer pronounced that if any users want to check whether they are misconfigured or not, well in that case they simply try accessing the Argo Workflows dashboard from any unauthenticated incognito browser that is present outside the corporate setting.

Apart from this, there is another way to check, that is to put a query the API of the user instance and verify the status code. There is no specific method that will help to bypass this kind of attack, but the experts have asserted that methodologies like the principle of least privilege (PoLP) should be embraced.

Moreover, users always refer to the application documentation if they desire to have best practices on security. While apart from all these things, the security researchers are trying their best to find all the details of this attack as well as some strong reliable mitigation.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles