2023-03-22

A Kubernetes Cryptojacking Operation Seeks Payment from Dero Co

Level: 
Tactical
  |  Source: 
CrowdStrike
Global
Share:

A Kubernetes Cryptojacking Operation Seeks Payment from Dero Coin

Category: Cloud Security | Industry: Global | Level: Tactical | Source: CrowdStrike

A Dero coin crypto-mining operation engaging in cryptojacking has been discovered targeting unsecured Kubernetes containers with exposed APIs. The campaign reported by CrowdStrike took place in February 2023, and initiated with the threat actors scanning insecure Kubernetes clusters that have authentication configured to "--anonymous-auth=true," permitting anonymous access to the Kubernetes API. Once access to the API was obtained, the attackers set up a "proxy-api" DaemonSet and deployed it, enabling them to exploit the resources of every node in the cluster at once, facilitating the mining of Dero using the resources available. The threat actors also deployed a modified CentOS 7 image featuring supplementary files called "entrypoint.sh" and "pause." The objective is assessed to be purely financially motivated as the threat actors made no attempt to move laterally, exfiltrate data or tamper with cluster operations. Following the established Dero cryptomining operation, a Monero cryptojacking operator attempted to exploit the same resources soon after the discovery of the Dero campaign, which eventually replaced the Dero miner.

Anvilogic Scenario:

  • AVL_UC16895 - Kube Manipulation for Cryptomining

Anvilogic Use Cases:

  • AVL_UC8076 - Kubernetes Update Pod Configuration
  • AVL_UC6844 - Kubernetes Pod Created
  • AVL_UC6846 - Kubernetes Potential Cryptomining

Get trending threats published weekly by the Anvilogic team.

Sign Up Now