June 12, 2024 at 10:09AM
Cybersecurity researchers have uncovered an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The threat actors abused anonymous access to launch malicious container images containing a DERO miner. The attack involves targeting externally accessible Kubernetes API servers and uses obfuscation techniques to resist analysis. The attacker’s tactics demonstrate ongoing adaptation to evade detection.
Certainly! Based on the meeting notes, the key takeaways are:
1. Ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency.
2. Use of anonymous access to Internet-facing cluster and externally accessible Kubernetes API servers with enabled anonymous authentication to deliver the miner payloads.
3. Updated variant of a financially motivated operation first documented in March 2023 by CrowdStrike.
4. Use of seemingly benign DaemonSets called “k8s-device-plugin” and “pytorch-container” to run the miner on all nodes of the cluster.
5. Cryptocurrency miner is an open-source binary written in Go, obfuscated using the UPX packer to resist analysis.
6. Additional tools developed by the threat actor include a Windows sample of a UPX-packed Dero miner and a dropper shell script.
7. Tactics used by the attacker include registering domains with innocent-looking names, masking communication with mining pools, and adapting their methods to stay ahead of defenders.
Let me know if there’s anything else I can assist you with!