First-Ever Dero Cryptojacking Targets Kubernetes Infrastructure
But wait, there’s more! This new attack campaign has a Monero cryptojacking attacker after it!
CrowdStrike, a leading cybersecurity firm, has uncovered the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. Dero, a relatively new and privacy-focused cryptocurrency that uses directed acyclic graph (DAG) technology, to offer, its founders claim, complete anonymity of transactions. This combination of anonymity and the promise of higher rewards makes it attractive to cryptojackers groups compared to the commonly used Monero cryptocurrency.
You see, 2022’s crypto crash undercut cryptojackers’ monetary reward by 50-90%. This made Dero, which offers larger rewards, much more attractive to attackers.
Ironically, CrowdStrike also found a separate Monero crypto jacking operation piggy-backing on the Dero campaign. The Monero campaign employs privilege escalation using DaemonSets and host root mount to switch infected Kubernetes pods from ming Dero to mining Monero. There is no honor among thieves!
In February 2023, the Dero cryptojacking campaign was spotted. Attackers scanned and identified exposed vulnerable Kubernetes clusters with authentication set as –anonymous-auth=true. By deploying a Kubernetes DaemonSet named “proxy-api,” the attacker simultaneously engaged the resources of all nodes in a Kubernetes cluster to run a cryptojacking operation. The mining efforts were contributed back to a community pool, which distributed Dero coin rewards equally among contributors through digital wallets.
Now, Kubernetes out-of-the-box doesn’t allow anonymous access to the Kubernetes control plane Application Programming Interface (API). But the delayed secure-by-default decision and poor configurations constantly leave Kubernetes clusters vulnerable to attack.
The Docker image used in the operation is hosted by Docker Hub for easy public access. The image, “pauseyyf/pause:latest,” was uploaded in January 2023 and has over 4,000 pulls at the time of this writing, implying the scope of the campaign and the potential number of miner instances deployed.
Once in, the attack creates a DaemonSet. The attacker creates it under a default Kubernetes namespace “kube-system” and names it “proxy-api” to disguise itself. Additionally, the attacker sets pod DNS servers to a public IP (Such as Google’s 184.108.40.206) and marks ”restartPolicy: Always” in case the pod on any of the nodes crashes. In short, once in place, it’s a persistent cuss.
All about Money
The Dero campaign appears to be all about money. So far, no attempts have been made to disrupt cluster operations or move laterally to attack further resources. Soon, however, CrowdStrike detected a modified Monero campaign attacking Kubernetes and displacing the Dero miner to mine Monero instead in February 2023.
The modified Monero campaign does this by deliberately trying to delete existing DaemonSets named “proxy-api”. That done, the Monero campaign takes the cluster over to use all of its resources for mining Monero.
Both the Dero and Monero cryptojacking campaigns are competing for undiscovered Kubernetes attack surfaces. CrowdStrike claims its Falcon platform can protect organizations from sophisticated breaches, including cryptojacking campaigns, with industry-leading Cloud Native Application Protection Platform (CNAPP) capabilities. While I’m sure deploying Falcon would be helpful, this attack underlines that securely setting up Kubernetes in the first place is a necessity.