Hackers gain environment privileges to eliminate competitors.
Security company Aqua has discovered a large-scale campaign in which attackers use the Kubernetes Role Based Access Control (RBAC) policy to create backdoors and run cryptocurrency miners.
The attackers also deployed DaemonSets to steal resources from targeted Kubernetes clusters, experts say. 60 unprotected clusters used by hackers were found.
The chain of attacks, dubbed "RBAC Buster", began with an attacker gaining initial access through a misconfigured API server, then checking for competing miners on the compromised server, and then using RBAC to establish persistence.
The attacker created:
the "ClusterRole" object (describes the rights to objects in the entire cluster) with administrator-level privileges;
the “ServiceAccount” account (designed to manage access rights to the Kubernetes API processes) and the “kube-controller” daemon in the “kube-system” namespace;
binding "ClusterRoleBinding" (opens access to cluster entities), binding "ClusterRole" to "ServiceAccount" in order to securely and discreetly gain a foothold in the system.
During the attack, the attacker attempted to use the AWS public access keys as a weapon to gain a foothold in the environment, steal data, and break out of the cluster.
In the final phase of the attack, the attacker created a DaemonSet to deploy a Docker-hosted container image ("kuberntesio/kube-controller:1.0.1") to all nodes. The container, which has been downloaded 14,399 times since it was downloaded 5 months ago, contains a cryptominer.
“The 'kubernetesio/kube-controller' container image is an example of Typesquatting that allows you to impersonate a legitimate 'kubernetesio' account. The image also mimics the popular "kube-controller-manager" container image, which is a critical control plane component that runs in a pod on each master node and is responsible for detecting and responding to node failures.
Interestingly, some of the attack tactics bear similarities to another cryptojacking campaign that also used DaemonSets to mine the Dero coin. It is currently unclear if the two campaigns are related.