Posted on August 4, 2021 at 5:02 PM
Security researchers have reported a new wave of attacks that plant crypto-mining malware using Kubernetes. According to reports about the malware, it exploits misconfigured an open-source workflow engine for Kubernetes known as Argo Workflow.
According to the researchers, there are hundreds of Argo Workflows instances and malicious threat actors are currently abusing them.
In line with the discovery, the National Security Agency (NSA) has released a guideline for safe navigation. According to the agency, the guidelines will enable organizations to deploy the open-source platform to manage containerized applications.
Apart from the NSA, the Cybersecurity and Infrastructure Agency (CISA) also authored the guidance to help users understand the configurations and main threats to reduce risks.
NSA and CISA release joint guidance
In a joint statement, the agencies explained that Kubernetes is usually targeted for three main reasons: denial of service, computational power theft, or data theft.
“Data theft is traditionally the primary motivation,” the agencies added. But threat actors sometimes try to use Kubernetes to connect a network’s infrastructure to gain computational power, especially for crypto mining.
And researchers at Intezer are warning that the threat actors are taking advantage of misconfigured Kubernetes workflows on enterprise hardware.
However, the security researchers revealed that the main hardening guidance is not uncommon. Based on the reports, organizations can apply standard security mitigations even in complex environments usually deployed in the cloud.
The guidance also includes pods for misconfigurations or vulnerabilities, as well as scanning containers. It also has pods with lesser privileges, running containers, strong authentication methods, firewall protections, as well as log auditing.
Additionally, the guidance offers worker nodes, the control panel, Kubernetes clusters, as well as pods for containers hosted on the nodes.
Kannix/monero-miner container also deployed
Also, the researchers stated that they discovered a kannix/monero-miner, a widely-known crypto mining container, was being deployed. The container is popular for its use in mining the Monero cryptocurrency.
Although the container has been deleted from Docker-hub, as the researchers noted, the repository still lists up to 45 other crypto mining containers that already have millions of downloads.
The researchers said they have also discovered some infected nodes and the hundreds of misconfigured deployments mean more attacks are more likely going to occur. Some of the exposed instances are used by organizations from different sectors, including logistics and finance, the researcher noted
Guidance for mitigation
The CISA and the NSA also issued advice on supply chain risk, which includes hardware and software dependencies that may be infiltrated and used in the supply chain before they are deployed.
The joint report note that both the security applications and the third-party software that depends on its functionality depend on the defense of the development infrastructure and the trustworthiness of the developers. As a result, a malicious application of a container from a third party may be all that cyber actors require to have a stronghold in the cluster.
The agencies also noted that the threat actors often attack control pane applications that do not have the right access controls. They also attack worker nodes that do not reside within the locked-down control plane.
Additionally, there are also threats within, which include supervisors or admins with physical access and high privileges.
The agencies reiterated that pods need to have heightened strength against exploitation since they represent the threat actors’ first execution environment after they have exploited a container.
They also recommended that organizations should run rootless and non-root container engines to stop any root execution since several container services run the root privilege user by default.
Argo Workflows can be exploited
The security researchers also argued that Argo Workflows are usually developed in a way to reduce complexity in deployments. However, if they are not properly configured, hackers can turn them into exploitation tools.
When the researchers were looking for misconfigured examples, they saw some that either had light permissions of completely unprotected. These instances can enable threat actors to deploy workflows.