top of page

How Malicious Actors Exploit Exposed K8s for Crypto-Mining and Backdoors

Cybersecurity professionals are raising awareness about a serious concern regarding publicly accessible Kubernetes (K8s) clusters. The potential for misuse of these clusters is significant, with recent incidents demonstrating a pervasive threat from malicious entities looking to deploy cryptocurrency mining software along with backdoor attacks. This troubling information comes courtesy of Aqua, a leading voice in the realm of cloud security.

As per their report, a lion's share of these exposed clusters belonged to small to medium-sized organizations. However, there were still a number of vulnerable clusters tied to high-profile companies from sectors including financial, aerospace, automotive, industrial, and security.

The report has unearthed an alarming fact: over 350 organizations, including open-source projects and individual accounts, contained Kubernetes clusters that were exposed. More shockingly, 60% of these clusters were the active targets in a malicious crypto-mining operation. These clusters were discovered to be publicly accessible owing to a pair of serious configuration errors.

The first type allowed an anonymous high-privilege access, while the second was an error in running the kubectl proxy with flags that essentially left the door wide open. This lax security configuration can lead to severe consequences as Kubernetes clusters often hold an array of highly sensitive assets. Some of these assets include customer data, financial records, intellectual property, access keys, confidential configurations, and even encryption keys.

Michael Katchinskiy and Assaf Morag, highly respected security researchers, shed light on the situation. They found that within the exposed Kubernetes clusters, pod lists that contained sensitive environmental variables have fallen prey to malicious parties. These instances pose significant risks as it potentially allows the cyber-criminals to breach companies' deepest defenses, infiltrate their source code repositories, and potentially introduce detrimental modifications.

In terms of identifiable threats, the researchers' in-depth analysis of the compromised clusters led them to uncover three separate campaigns, each with their sole aim being cryptocurrency mining. These included a Dero crypto-jacking operation, the RBAC Buster, and TeamTNT's Silentbob. Each one proved the destructive effects of these common misconfigurations that plague various organizations irrespective of their size.

In essence, this highlights gaping holes in the understanding and handling of Kubernetes security within many companies. Businesses small, medium, and large need to comprehend the severity of these vulnerabilities and take immediate action to prevent such exploitations.

While this issue serves as a stark reminder of the necessity of reliable cybersecurity practices, it also underscores the need for continuous cybersecurity news, insights, and daily tips to stay equipped in this ongoing digital battleground.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page