CrowdStrike cybersecurity researchers recently uncovered yet another illegal cryptocurrency mining campaign. This time, the Kubernetes platform became the victim of the attackers. And the operation itself marks the first time that attackers have abandoned the Monero cryptocurrency, which is currently the most common coin for mining in cryptojacking campaigns. Instead, cybercriminals preferred the Dero crypto coin. This may be due to the fact that Dero is slightly more profitable to mine, and the coin also provides anonymization functions at least as good as Monero.
Kubernetes is one of the most popular container management systems developed by Google and is designed to automate the deployment, scaling and management of containerized applications. Kubernetes has a very impressive computing power, so it is not surprising that crypto scammers are interested in the company.
The attack, attributed to an unknown financially motivated group of hackers, began by looking for insecure Kubernetes clusters with the ability to anonymously authenticate and then injecting a payload into them. Then, a malicious mining module disguised as a legitimate system container was deployed on each such cluster, making malicious activity harder to detect.
CrowdStrike also stated that it also detected other malicious activity in parallel, targeting public Kubernetes clusters. It is noteworthy that a completely different hacker group was already operating, which managed to detect the presence of a competitor in the Kubernetes API, “drive it away” and connect Monero cryptocurrency mining to its wallet. More like a showdown between Mexican cartels than a confrontation between hackers.
What to do, everyone wants to grab their "piece of the pie" and fight for it as best they can. What happened once again proves the attractiveness of cryptojacking operations for modern hackers. Everyone loves money, and when all you need to get it is to connect to an open high-performance server, it’s apparently impossible for attackers to resist.