An extensive attack campaign that has been discovered in the wild uses Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and carry out cryptocurrency mining.
Based on a report by cloud security company Aqua, the attackers responsible for a large-scale campaign exploiting Kubernetes Role-Based Access Control (RBAC) used DaemonSets to take control of and steal resources from their targeted K8s clusters. According to Aqua, an Israeli business that termed the attack RBAC Buster, 60 K8s clusters that were abused by a malicious performer driving the operation.
The hackers behind the attack gained early access through a poorly designed API server and then looked for signs of rival miner software on the compromised server. The attackers then used RBAC to build up persistence, starting with a ClusterRole with admin-level privileges.
Aqua claimed that the attacker then created a ServiceAccount and a Kubernetes-Controller in the Kubernetes-System namespace before establishing a ClusterRoleBinding to connect the ClusterRole and ServiceAccount, producing a robust and covert persistence.
The attacker sought to build a foothold in the environment, grab data, and breach the cluster’s perimeter in the assault on its K8s honeypots by using unprotected AWS access keys.
The attacker created a DaemonSet, distributing the “kuberntesio/kube-controller:1.0.1” Docker container image containing a cryptocurrency miner to all nodes as the final step of the attack. Since the container was uploaded five months earlier, it has been retrieved 14,399 times.
Aqua claimed that the “kuberntesio/kube-controller” container image is a case of typosquatting, imitating the authentic “kubernetesio” account. Additionally, the container image mimics the well-known “kube-controller-manager” container image, which recognizes failed node instances and takes steps to fix them.
The campaign’s tactics resemble those used in another unauthorized cryptocurrency mining process that used DaemonSets to produce Dero and Monero. It remains unclear if the two attacks are connected.