A new method of creating persistent backdoor accounts on Kubernetes clusters for Monero crypto-mining has been discovered by Aqua Security’s research team, “Nautilus,” who named the campaign ‘RBAC Buster.’ This new type of attack involves abusing RBAC (Role-Based Access Control) – a Kubernetes API access control system allowing admins to define which users or service accounts can access API resources and operations – to enforce malicious access control policies.
By using RBAC to create a new ‘ClusterRole’ with near admin-level privileges and a ServiceAccount ‘kube-controller’ in the ‘kube-system’ namespace, the attacker gains persistence on the cluster. A ClusterRoleBinding named ‘system:controller:kube-controller’ is then created to persist in the cluster even if anonymous user access is disabled.
Furthermore, the attack campaign was observed to be actively used to compromise 60 misconfigured Kubernetes clusters. Aqua Security was able to record and analyze the attack after the threat actors breached one of its Kubernetes honeypots that was purposely misconfigured to expose APIs and access keys. The initial access to the target Kubernetes cluster is achieved through unauthenticated requests from anonymous users with privileges, so the API server needs to be misconfigured.
Additionally, at this stage, the attacker checks if the server was compromised already by their campaign, deployed as ‘kube-controller,’ or if other cybercrime competitors have already compromised the cluster. If it finds other attackers’ deployments, it will delete them to take control of the device’s resources for its own malicious use.
At the same time, Aqua Security found that the malicious ‘kube-controller’ container was deployed from and located on the public Docker registry as ‘kuberntesio/kube-controller:1.0.1.’ This name impersonates the legitimate ‘kubernetesio’ account and the popular ‘kube-controller-manager’ image, which is a continuously-running critical component of the Kubernetes control plane responsible for detecting and responding to node failures. The final step of the attack is to create a DaemonSet to deploy a Docker Hub-hosted container image (‘kuberntesio/kube-controller’) on all nodes with a single API request and start mining the hard-to-trace cryptocurrency Monero on the compromised server.
The repercussions of the RBAC Buster attacks on Kubernetes clusters can be significant and include unauthorized access to data, exposure of secrets, resource hijacking, and potentially even reputation damage.
To mitigate the threat, secure the API server by disallowing unauthenticated requests from anonymous users and create and enforce strict API access policies by using RBAC effectively. Admins are also urged to monitor audit logs and encrypt any secrets and account credentials hosted in the cluster.
The RBAC Buster attack campaign serves as a warning for organizations to ensure that their Kubernetes clusters are properly secured to prevent future attacks, which could result in significant financial and reputational damages.
