Attackers are exploiting Kubernetes RBAC to create backdoors and deploying DaemonSets to take over and hijack resources. The campaign is targeting at least 60 clusters and is caused by misconfigured API servers.
The attacker gains persistence by creating a ClusterRole with admin-level privileges, binding it with a ServiceAccount to create a strong and inconspicuous persistence. The attacker then creates a DaemonSet to deploy containers and mine Monero.
The impact on the cluster is resource hijacking. The container image 'kuberntesio/kube-controller' is typosquatting and deceives practitioners into thinking it is a legitimate deployment rather than a cryptominer.
Give a Pawfive to this post!
Share with your friends and followers
Start writing about what excites you in tech — connect with developers, grow your voice, and get rewarded.
Join other developers and claim your FAUN.dev() account now!
