Threat Actors Lead Crypto Mining Campaign Using Kubernetes RBAC, Researchers Warn

Security experts have identified a new crypto-mining campaign that uses Kubernetes Role-Based Access Control (RBAC) to deploy backdoors and run miners on compromised devices. The malicious operation, tracked as RBAC Buster, garnered at least 60 Kubernetes (K8) clusters to focus on.

To analyze the attackers’ modus operandi, cloud security firm Aqua researchers set up a K8 honeypot.

“We have recently discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors,” reads Aqua’s security advisory. “The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack. Our research suggests that this campaign is actively targeting at least 60 clusters in the wild.”

Threat actors used a misconfigured API server to gain access, performed reconnaissance operations such as listing secrets and entities via HTTP and API requests, checked whether the server was running competing miner malware, and leveraged RBAC to achieve persistence.

According to the company’s report, attackers also attempted to remove specific existing deployments, “including 'kube-secure-fhgxtsjh', 'kube-secure-fhgxt', 'api-proxy', and 'worker-deployment.’” The researchers believe that, by doing so, attackers aimed to increase available CPU by disabling legacy or competitor’s campaigns and to reduce the chances of being discovered.

The campaign is widespread, seeing as the malicious container was pulled 14,339 times since its upload five months ago. Further analysis revealed that the container images hosted a fake binary kube-controller, crypto-miner malware in disguise, and its configuration files.

Crypto wallets associated with the miner revealed that the perpetrators had already mined five XMR (roughly $200) and could gain another five by the end of the year from just a single worker.

“The container image named 'kuberntesio/kube-controller' is a case of typosquatting that impersonates the legitimate 'kubernetesio' account,” reads Aqua’s report. “Essentially, it is a widely used K8s component that should exist on the cluster and could deceive practitioners into thinking it is a legitimate deployment rather than a cryptominer. Since it is designed to run continuously, no one would question its presence.”