Threat actors have been observed abusing Kubernetes Role-Based Access Control (RBAC) to create backdoors and hijack cluster resources for cryptocurrency mining, cloud security firm Aqua Security warns.
Referred to as RBAC Buster, this type of Kubernetes attack exploits API servers to gain full access to the compromised cluster and achieve persistence.
For initial access, Aqua reports, the threat actors are exploiting a misconfigured API server that accepts ‘unauthenticated requests from anonymous users with privileges’.
After making several requests, the attackers were able to retrieve secrets and gather information about the cluster, made a new deployment named ‘kube-controller’, and attempted to delete several existing deployments, likely to disable malicious campaigns from competitors.
Next, the attackers were seen leveraging RBAC for persistence, which included creating a cluster role with near admin-level privileges and a service account named ‘kube-controller’ in the ‘kube-system’ namespace, and binding the cluster role with the service account.
By setting the legitimate-looking cluster role binding, the attackers could stay under the radar, while ensuring their access to the cluster is persistent even if the anonymous user access was disabled, Aqua explains.
The cybersecurity firm observed the attack on one of their honeypots where AWS access keys were exposed in various locations and discovered that, days after the attackers compromised the cluster, the keys were used to expand access.
“The attacker then created a DaemonSet to deploy containers on all nodes with a single API request. The DaemonSet creation request object contained the container image ‘kuberntesio/kube-controller:1.0.1’, hosted on the public registry Docker Hub. The impact on the cluster was resource hijacking,” Aqua says.
The container image has been pulled over 14,000 times since it was uploaded five months ago, and Aqua identified another 60 exposed Kubernetes clusters that were compromised as part of the campaign.
The purpose of the attacks is to hijack resources to mine for Monero, and the attackers appear to have already mined at least 5 coins from a single worker.
Aqua also notes that the container image ‘kuberntesio/kube-controller’ uses typosquatting to impersonate the legitimate ‘kubernetesio’ account, while also mimicking ‘kube-controller-manager’, a popular container image that runs on every node to identify and help respond to node failures.
Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters
Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver
Related: Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes