Cybersecurity researchers at Wiz have identified a sophisticated cryptojacking campaign that exploits vulnerabilities in Kubernetes clusters to mine Dero cryptocurrency. This campaign represents an evolution of earlier attacks documented by CrowdStrike in March 2023. Unlike previous methods that utilized a Kubernetes DaemonSet named “proxy-api,” the current campaign employs seemingly innocuous DaemonSets such as “k8s-device-plugin” and “pytorch-container” to distribute a UPX-packed DERO miner across cluster nodes. This strategy allows the threat actors to covertly execute mining operations while evading detection, leveraging anonymous access to Kubernetes API servers as an initial point of compromise.
The malicious activity centers around Docker images hosted on Docker Hub, some of which have been downloaded more than 10,000 times. These images contain the ‘pause’ container, which masquerades as a legitimate component used for network isolation within Kubernetes pods. Once deployed, the DERO miner embedded in these containers begins exploiting computational resources across the Kubernetes cluster, aiming to maximize cryptocurrency mining output.
Furthermore, the threat actors have taken steps to obfuscate their activities and evade security measures. The DERO miner itself is an open-source binary modified to hard-code wallet addresses and mining pool URLs, making it easier to operate without typical command-line arguments that might trigger security alerts. Additionally, the use of UPX packing technology adds another layer of complexity, making analysis and detection more challenging for defenders.
In response to this threat, Wiz has observed additional tools developed by the attackers, including a Windows version of the DERO miner and a dropper script designed to terminate competing mining processes on infected hosts. The attackers have also registered domains with innocuous names to blend in with legitimate web traffic and obscure communication with well-known mining pools. This adaptive approach underscores the attackers’ efforts to stay ahead of cybersecurity defenses, continually refining their tactics to exploit vulnerabilities in cloud environments effectively.
Reference:
