Computer security specialists from Microsoft announced a series of hacker attacks on Kubernetes clusters running Kubeflow containers for hidden cryptocurrency mining.
Kubernetes is a popular container orchestration system, and Kubeflow allows you to quickly and easily deploy machine learning container instances. Hackers attack clusters with deployed Kubeflow systems in order to deploy their own containers in which XMR and ETH miners run.
The attacks began at the end of May. Computer security experts have discovered a sudden spike in the deployment of TensorFlow containers.
“The splash of installations on different clusters was simultaneous. This suggests that the hackers scanned the clusters in advance and made a list of potential targets, and then launched a coordinated attack, ”said Microsoft senior security researcher Yossi Weizman.
The attackers modified the containers to mine cryptocurrencies and distribute them through the Kubeflow Pipelines platform. At the same time, they received initial access to Kubernetes clusters through the Kubeflow control system – initially access to it should be limited to internal networks, but some administrators mistakenly allowed access from outside. Then the hackers deployed two containers: one for mining cryptocurrencies on central processors, and the other on video accelerators.
To mine Monero, the XMRig application was used, and for Ethereum mining, hackers deployed containers with Ethminer.
“Attacks are still ongoing and all new Kubernetes clusters with an open Kubeflow panel are under attack,” Weizman warned.
The cybersecurity expert advised administrators to always enable authentication when accessing the panel, as well as restrict access to it. In addition, he advised to keep an eye on your infrastructure and deployed containers.
At the end of April, it was reported that Microsoft would add support for Intel Threat Detection Technology to improve its responsiveness to hidden mining malware on workstations.