BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Malefactors compete among themselves for cryptocurrency in Kubernetes

    Hackers gain environment privileges to eliminate competitors.

    Security company Aqua has discovered a large-scale campaign in which attackers use the Kubernetes Role Based Access Control (RBAC) policy to create backdoors and run cryptocurrency miners.

    The attackers also deployed DaemonSets to steal resources from targeted Kubernetes clusters, experts say. 60 unprotected clusters used by hackers were found.

    The chain of attacks, dubbed "RBAC Buster", began with an attacker gaining initial access through a misconfigured API server, then checking for competing miners on the compromised server, and then using RBAC to establish persistence.

    The attacker created:

    the "ClusterRole" object (describes the rights to objects in the entire cluster) with administrator-level privileges;
    the “ServiceAccount” account (designed to manage access rights to the Kubernetes API processes) and the “kube-controller” daemon in the “kube-system” namespace;
    binding "ClusterRoleBinding" (opens access to cluster entities), binding "ClusterRole" to "ServiceAccount" in order to securely and discreetly gain a foothold in the system.

    During the attack, the attacker attempted to use the AWS public access keys as a weapon to gain a foothold in the environment, steal data, and break out of the cluster.

    In the final phase of the attack, the attacker created a DaemonSet to deploy a Docker-hosted container image ("kuberntesio/kube-controller:1.0.1") to all nodes. The container, which has been downloaded 14,399 times since it was downloaded 5 months ago, contains a cryptominer.

    “The 'kubernetesio/kube-controller' container image is an example of Typesquatting that allows you to impersonate a legitimate 'kubernetesio' account. The image also mimics the popular "kube-controller-manager" container image, which is a critical control plane component that runs in a pod on each master node and is responsible for detecting and responding to node failures.

    Interestingly, some of the attack tactics bear similarities to another cryptojacking campaign that also used DaemonSets to mine the Dero coin. It is currently unclear if the two campaigns are related.

    Author DeepWeb
    Zaraza bot steals passwords from browsers using Telegram
    Updated PowerLess backdoor is actively storming Israeli organizations

    Comments 0

    Add comment