Cybersecurity firm CrowdStrike warns of a Dero cryptojacking operation infecting Kubernetes clusters that are also being targeted by a Monero cryptojacking campaign.
Dero is a cryptocurrency that uses directed acyclic graph (DAG) technology, claiming to provide users with complete transactional anonymity, increased privacy, and a higher reward ratio compared to Monero.
Since the beginning of February 2023, what appears to be the first-ever Dero cryptojacking operation has been observed targeting Kubernetes clusters on non-standard ports that are exposed to the internet.
To compromise the identified clusters, the attackers are using a Kubernetes API with authentication set to ‘anonymous’, which allows them to completely bypass authentication on accidentally exposed clusters.
Following initial interaction with the Kubernetes cluster, the attackers deploy a DaemonSet that drops a malicious pod on each node of the cluster.
“This helps attackers engage resources of all of the nodes at the same time to run a cryptojacking operation. The mining efforts by the pods are contributed back to a community pool, which distributes the reward equally among its contributors through their digital wallet,” CrowdStike explains.
As part of the campaign, the threat actors hosted on Docker Hub a Docker image that has over 4,000 pulls, which may be indicative of the number of miner instances deployed.
CrowdStrike says it has not observed the attackers pivoting from the compromised Kubernetes clusters to move laterally or attempting to delete or disrupt cluster operation, which suggests that their sole purpose was mining for Dero.
However, shortly after identifying the campaign, CrowdStrike also observed a modified Monero operation that targets exposed Kubernetes clusters and which deliberately attempts to delete Dero’s DaemonSet from the compromised targets.
“This signifies the Monero campaign is aware of the ongoing Dero cryptojacking campaign, and the Monero attacker wants to knock off the existing Dero cryptojacking DaemonSet before the campaign takes over the cluster and uses all of its resources,” the cybersecurity firm notes.
The same Monero operation attempts to delete other DaemonSets as well, suggesting that its operators might be aware of other cryptojacking campaigns as well.
As part of the Monero campaign, a privileged pod is being deployed and a ‘host’ directory is loaded, in an attempt to escape the container. Additionally, a cronjob is created to trigger the payload, instead of directly executing scripts.
Related: Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices
Related: Abcbot DDoS Botnet Linked to Older Cryptojacking Campaign
Related: Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill