Misconfigured Kubernetes Targeted by Extensive Crypto-Mining Campaign 

Summary 

A large-scale cryptocurrency mining campaign called RBAC Buster has been discovered actively targeting at least 60 Kubernetes clusters in the wild. The campaign exploits Kubernetes Role-Based Access Control (RBAC) to create backdoors and run miners. The attackers used a misconfigured API server to gain initial access to the clusters, then deployed DaemonSets to create backdoors and run cryptocurrency miners. The campaign was discovered by cybersecurity firm Aqua Security, which had set up Kubernetes honeypots and exposed Amazon Web Services (AWS) access keys in various locations on the cluster. 

What is Kubernetes? 

Kubernetes, is a widely used open-source system for automating deployment, scaling, and management of containerized applications across multiple hosts. It was developed by Google and is now overseen by the Cloud Native Computing Foundation (CNCF). It provides a platform for automating the deployment, scaling, and management of containerized applications, making it easier to manage large, complex container environments. It also provides advanced security features and monitoring capabilities. Kubernetes is a key tool in the development of cloud-native applications and is used by many organizations to improve organizational efficiency, reduce costs, and improve security.  

This widely used open-source container management tool has become a popular target for cybercriminals seeking to gain unauthorized access to organizational data for extortion or theft. The emergence of the Siloscape malware in 2021 has heightened concerns around the security of poorly configured Kubernetes clusters, leading to a Kubernetes security audit conducted by the National Computing Centre (NCC) Group.  

NCC Group Audit Results 

The audit identified 19 issues, with 13 in the kube-apiserver and four across Kubernetes’ broader architectural design. It highlighted concerns related to user and network permissions, as well as inadequate logging capabilities. Of the 19 issues, six were medium risk and nine were low risk, with none being critical or high. The audit also found that a “number of findings from the previous audit performed against Kubernetes version 1.13 in 2019 remain open or unfixed.” 

The audit emphasized the importance of implementing robust security measures and addressing concerns related to Kubernetes’ architecture. It stressed the need to implement a mechanism for an authorization mode to subquery other authorization modes and urged the project to consider embedding authentication metadata to authorization modes. The audit also identified issues related to Kubernetes’ authorization model, which does not support “deny” rules and called for the implementation of a new “DecisionDeny” rule. 

(Source: sysdig

Conclusion 

To secure Kubernetes environments, organizations need customizable identity and access management (IAM) solutions that specify roles and permissions for each user. Authorization levels should be specified based on the type of user, and access rules for different types of users should be established. IAM should be used to authenticate individuals, and native Kubernetes role-based access controls (RBACs) for management may need to be adjusted. 

Organizations should grant the least level of privilege necessary when creating roles for each group of users and delete roles once they are no longer necessary. IAM solutions can ease the process of configuring, managing, and ensuring scalability of clusters, while correctly assigned roles will always provide a crucial layer of protection. As Kubernetes and its uses advance, security methods will evolve, but specified roles will remain an important aspect of its security.  

References: 

  1. https://www.darkreading.com/attacks-breaches/combating-kubernetes-the-newest-iam-challenge-?_mc=NL_DR_EDT_DR_daily_20230428&cid=NL_DR_EDT_DR_daily_20230428&sp_aid=116291&elq_cid=37234710&sp_eh=8cf16e1785aaa804444985a6783290ed53189b73686df25f940937f8c1d8e4df&sp_eh=8cf16e1785aaa804444985a6783290ed53189b73686df25f940937f8c1d8e4df&sp_cid=48428 
  1. https://www.inforisktoday.com/novel-technique-exploits-kubernetes-rbac-to-backdoor-clusters-a-21738 
  1. https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters 
  1. https://thestack.technology/kubecon-kubernetes-security-audit-2023-permissions/ 
  1. https://sysdig.com/blog/monitor-kubernetes-api-server/ 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar