XMRig Campaign Target Misconfigured Kubernetes to Mine Cryptocurrency

Kubernetes clusters, due to their cloud computing capabilities and widespread use, are the perfect target for crypto-mining campaigns. A widespread XMRig Monero-mining campaign has been observed targeting misconfigured Kubernetes dashboards via Kubeflows.

Attacks targeting Kubeflows

  • In April 2020, Azure Security Center discovered a large-scale cryptocurrency mining attack against tens of Kubernetes clusters, and the attack still continues with more enhancements.
  • In June 2020, an attack campaign targeted Kubeflow, the machine-learning toolkit for Kubernetes, to deploy cryptominer such as XMRig. Kubeflow can be used as the entry point to run malicious images in the cluster.
  • In the same month, Kubernetes clusters, that were configured to use certain container networking implementations (CNIs), were found vulnerable to Man-in-the-Middle (MitM) attacks. The bug can be exploited by sending rogue router advertisements.
  • In March 2020, two vulnerabilities were identified in Kubernetes Kube API Server (CVE-2020-8552) and Kubernetes Kubelet API (CVE-2020-8551), which could allow an unprivileged attacker to execute a DoS attack on the targeted systems by sending a specially-crafted request or by API requests.

XMRig – the chosen mining payload 

XMRig miner was actually designed as a legitimate cryptocurrency mining program to use 75% of CPU capacity. However, due to coding errors, it ended up utilizing 100% of the CPU. It is commonly used by threat actors to mine cryptocurrency.

  • In June 2020, Tor2Mine, a cryptocurrency mining group, deployed XMRig and additional malware on the targeted machines during their operations to harvest credentials and steal money.
  • In May 2020, Blue Mockingbird attackers leveraged a known vulnerability in unpatched versions of Telerik UI for ASP.NET and deployed XMRig payload in a dynamic-link library (DLL) form on Windows systems.

Stay safe

Users should apply RBAC (Role-Based Access Control) in the cluster and grant only necessary permissions to the service accounts. Allowing only trusted images and enforced deployment of only trusted containers from trusted registries can help avoid such cryptomining attacks.