A unique Monero-mining campaign hits Kubernetes

  • Kuberflow, a machine-learning toolkit, recently suffered a cryptojacking attack.
  • The attacker used the system’s nodes for mining a privacy coin, Monero (XMR).
  • Security researchers believe that the hacker gained access via a dashboard exposed on the internet.

Kubernetes’ machine-learning toolkit, Kuberflow, was recently hit by a unique cyberattack, and as a result, it affected large swathes of container clusters, according to a recent Microsoft report.

What happened?

As some may know, Kuberflow is an open-source project that revolves around a popular framework for conducting machine-learning tasks. However, a recent analysis revealed that a suspicious Kuberflow image got deployed back in April, reaching thousands of clusters.

It all originated from one public repository, all of which was more than a cause for further investigation. After inspecting the matter, researchers discovered that the image runs an open-source cryptojacking malware, which is used for mining Monero (XMR).

Microsoft’s Azure Security Center security researcher, Yossi Weizman, explained that nodes that are used for machine learning are quite powerful. This is likely why they were targeted for crypto mining.

How did the attackers gain access?

He also spoke about how Kuberflow may have been used as an entry point for the attack. Weizman said that all that attackers needed was to somehow gain access to Kuberflow, and they would have numerous ways to run a malicious image. Since Kuberflow is a containerized service, various tasks run as containers in the cluster.

 “The framework is divided into different namespaces [containers], which are a collection of Kubeflow services. Those namespaces are translated into Kubernetes namespaces in which the resources are deployed,” he said.

Meanwhile, the entire project’s functionality is available via an API server, which connects to a dashboard. The dashboard uses leverage for managing various tasks. Usually, this dashboard can only be accessed via an internal gateway, which is at the edge of a cluster. But, many users often make their dashboards with access to the internet, for the ease of use. This seems to have been an entry point for the hacker(s) who struck in April.

From there on, the attacker once again had multiple methods of infecting the system. Of course, Kuberflow has protections against this kind of attack, which involves admins checking up on exposed dashboards if Kuberflow ever gets deployed within a cluster.

This was the first known attack that used Kuberflow to enter into the clusters, even though containerization tech is often targeted in crypto-mining campaigns. It is also worth noting that this was not the first time that Kuberflow itself was at the center of a Monero mining campaign.