Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor

Threat actors have been observed abusing Kubernetes RBAC to create backdoors and hijack cluster resources for cryptocurrency mining.

Threat actors have been observed abusing Kubernetes Role-Based Access Control (RBAC) to create backdoors and hijack cluster resources for cryptocurrency mining, cloud security firm Aqua Security warns.

Referred to as RBAC Buster, this type of Kubernetes attack exploits API servers to gain full access to the compromised cluster and achieve persistence.

For initial access, Aqua reports, the threat actors are exploiting a misconfigured API server that accepts ‘unauthenticated requests from anonymous users with privileges’.

After making several requests, the attackers were able to retrieve secrets and gather information about the cluster, made a new deployment named ‘kube-controller’, and attempted to delete several existing deployments, likely to disable malicious campaigns from competitors.

Next, the attackers were seen leveraging RBAC for persistence, which included creating a cluster role with near admin-level privileges and a service account named ‘kube-controller’ in the ‘kube-system’ namespace, and binding the cluster role with the service account.

By setting the legitimate-looking cluster role binding, the attackers could stay under the radar, while ensuring their access to the cluster is persistent even if the anonymous user access was disabled, Aqua explains.

The cybersecurity firm observed the attack on one of their honeypots where AWS access keys were exposed in various locations and discovered that, days after the attackers compromised the cluster, the keys were used to expand access.

“The attacker then created a DaemonSet to deploy containers on all nodes with a single API request. The DaemonSet creation request object contained the container image ‘kuberntesio/kube-controller:1.0.1’, hosted on the public registry Docker Hub. The impact on the cluster was resource hijacking,” Aqua says.

Advertisement. Scroll to continue reading.

The container image has been pulled over 14,000 times since it was uploaded five months ago, and Aqua identified another 60 exposed Kubernetes clusters that were compromised as part of the campaign.

The purpose of the attacks is to hijack resources to mine for Monero, and the attackers appear to have already mined at least 5 coins from a single worker.

Aqua also notes that the container image ‘kuberntesio/kube-controller’ uses typosquatting to impersonate the legitimate ‘kubernetesio’ account, while also mimicking ‘kube-controller-manager’, a popular container image that runs on every node to identify and help respond to node failures.

Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters

Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver

Related: Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.