Attackers are exploiting Kubernetes RBAC to create backdoors and deploying DaemonSets to take over and hijack resources. The campaign is targeting at least 60 clusters and is caused by misconfigured API servers.

The attacker gains persistence by creating a ClusterRole with admin-level privileges, binding it with a ServiceAccount to create a strong and inconspicuous persistence. The attacker then creates a DaemonSet to deploy containers and mine Monero.

The impact on the cluster is resource hijacking. The container image 'kuberntesio/kube-controller' is typosquatting and deceives practitioners into thinking it is a legitimate deployment rather than a cryptominer.