Attackers are exploiting Kubernetes RBAC to create backdoors and deploying DaemonSets to take over and hijack resources. The campaign is targeting at least 60 clusters and is caused by misconfigured API servers.
The attacker gains persistence by creating a ClusterRole with admin-level privileges, binding it with a ServiceAccount to create a strong and inconspicuous persistence. The attacker then creates a DaemonSet to deploy containers and mine Monero.
The impact on the cluster is resource hijacking. The container image 'kuberntesio/kube-controller' is typosquatting and deceives practitioners into thinking it is a legitimate deployment rather than a cryptominer.
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Only registered users can post comments. Please, login or signup.