Connect with us

Hi, what are you looking for?


Application Security

Threat Actors Target Kubernetes Clusters via Argo Workflows

Threat actors are abusing Argo Workflows to target Kubernetes deployments and deploy crypto-miners, according to a warning from security vendor Intezer.

Threat actors are abusing Argo Workflows to target Kubernetes deployments and deploy crypto-miners, according to a warning from security vendor Intezer.

The Intezer team identified a series of unprotected instances operated by organizations in technology, finance, and logistics sectors, which allowed anyone to deploy workflows. In some cases, the nodes have been targeted by malicious actors to deploy crypto-miners.

An open-source, container-native workflow engine that runs on Kubernetes, Argo Workflows allows users to run parallel jobs at ease from a central interface, reducing deployment complexity and leaving less room for errors.

Argo uses YAML files to define the type of work to be performed, with the workflows being executed either from a template or submitted directly using the Argo console.

On the misconfigured instances, Intezer said threat actors could access an open Argo dashboard and deploy their workflow. In one of the observed attacks, the adversary deployed kannix/monero-miner, a known crypto-currency mining container that has been removed from Docker Hub.

[ Related: ‘Siloscape’ Malware Targets Windows Server Containers ]

The container uses XMRig to mine for Monero and is being abused by threat actors to run crypto-jacking operations, as it can be easily configured by simply changing the address of the crypto-wallet the mined virtual coin should be deposited to.

Advertisement. Scroll to continue reading.

To check whether their instances have been properly configured, users can simply attempt to access the Argo Workflows dashboard from outside the corporate network, using an incognito browser, and without authentication.

“Another option is to query the API of your instance and check the status code. Make a HTTP GET request to [your.instance:port]/api/v1/info. A returned HTTP status code of “401 Unauthorized” while being an unauthenticated user will indicate a correctly configured instance, whereas a successful status code of “200 Success” could indicate that an unauthorized user is able to access the instance,” Intezer explained.

Users are also advised to check their Argo instances for any suspicious activity, and ensure that no workflows have been running for an excessive amount of time, as this could indicate that a crypto-miner has been deployed in the cluster.

Related: Kubeflow Deployments Targeted in New Crypto-mining Campaign

Related: ‘Siloscape’ Malware Targets Windows Server Containers

Related: New ‘Hildegard’ Malware Targets Kubernetes Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.