Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor

Threat actors have been observed abusing Kubernetes RBAC to create backdoors and hijack cluster resources for cryptocurrency mining.

Threat actors have been observed abusing Kubernetes Role-Based Access Control (RBAC) to create backdoors and hijack cluster resources for cryptocurrency mining, cloud security firm Aqua Security warns.

Referred to as RBAC Buster, this type of Kubernetes attack exploits API servers to gain full access to the compromised cluster and achieve persistence.

For initial access, Aqua reports, the threat actors are exploiting a misconfigured API server that accepts ‘unauthenticated requests from anonymous users with privileges’.

After making several requests, the attackers were able to retrieve secrets and gather information about the cluster, made a new deployment named ‘kube-controller’, and attempted to delete several existing deployments, likely to disable malicious campaigns from competitors.

Next, the attackers were seen leveraging RBAC for persistence, which included creating a cluster role with near admin-level privileges and a service account named ‘kube-controller’ in the ‘kube-system’ namespace, and binding the cluster role with the service account.

By setting the legitimate-looking cluster role binding, the attackers could stay under the radar, while ensuring their access to the cluster is persistent even if the anonymous user access was disabled, Aqua explains.

The cybersecurity firm observed the attack on one of their honeypots where AWS access keys were exposed in various locations and discovered that, days after the attackers compromised the cluster, the keys were used to expand access.

Advertisement. Scroll to continue reading.

“The attacker then created a DaemonSet to deploy containers on all nodes with a single API request. The DaemonSet creation request object contained the container image ‘kuberntesio/kube-controller:1.0.1’, hosted on the public registry Docker Hub. The impact on the cluster was resource hijacking,” Aqua says.

The container image has been pulled over 14,000 times since it was uploaded five months ago, and Aqua identified another 60 exposed Kubernetes clusters that were compromised as part of the campaign.

The purpose of the attacks is to hijack resources to mine for Monero, and the attackers appear to have already mined at least 5 coins from a single worker.

Aqua also notes that the container image ‘kuberntesio/kube-controller’ uses typosquatting to impersonate the legitimate ‘kubernetesio’ account, while also mimicking ‘kube-controller-manager’, a popular container image that runs on every node to identify and help respond to node failures.

Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters

Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver

Related: Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.