Kubernetes Clusters Hit by Kubeflow Crypto-Mining Attack

A first-of-its-kind campaign targeting a popular Kubernetes toolkit seeded cryptocurrency mining malware across multiple clusters, according to Microsoft.

Open source project Kubeflow is a framework for running machine learning tasks in Kubernetes.

As the nodes used for these tasks tend to be relatively powerful, sometimes including GPUs, they’re an attractive target for crypto-miners, according to Yossi Weizman, security research software engineer at the Azure Security Center.

Back in April, his team detected a suspect image subsequently found to be running an XMRIG miner, deployed from a public repository onto multiple clusters.

Weizman explained that the Kubeflow dashboard is exposed by an Istio ingress gateway and, by default, is accessible only internally. However, users may have unwittingly made the set-up less secure by tweaking these settings.

“In some cases, users modify the setting of the Istio Service to Load-Balancer which exposes the service to the internet. We believe that some users chose to do it for convenience: without this action, accessing the dashboard requires tunneling through the Kubernetes API server and isn’t direct,” he said.

“By exposing the service to the internet, users can access the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.”

This likely allowed attackers to deploy a backdoor container in the cluster, Weizman added.

Although only “tens” of clusters were affected in this operation, it comes hot-on-the-heels of a larger-scale cryptocurrency mining campaign against Kubernetes clusters spotted by Microsoft in April.

Weizman concluded that organizations should make use of authentication and access controls, ensure sensitive interfaces are not exposed to the internet, regularly monitor the runtime environment, allow deployments of only trusted images and always scan images for vulnerabilities.

What’s Hot on Infosecurity Magazine?