Microsoft discovered two widespread crypto mining attacks against Kubeflow, a popular cloud-native platform for ML workloads on Kubernetes. Attackers used Kubeflow’s central dashboard or Pipelines interface to schedule crypto-mining workloads. These attacks can strain infrastructure resources and expose the intellectual property, personnel files, and other at-risk assets, which can damage a corporation.
A Kubeflow Crypto Attack: What Is It?
We’ve had numerous inquiries about what a Kubeflow crypto attack is and what it means. We’ll examine the entire picture in-depth in this article.
Kubernetes is becoming a more popular choice among businesses as they undergo digital transformations. Kubernetes is an open-source platform that aids businesses in moving past the conventional deployment era, when businesses installed programmes on physical servers and had resource allocation problems as a result.
It accomplishes this by assisting these organisations in the management of containers, and software units that include all the code and dependencies required to operate an app.
The lightweight nature of this technology comes from containers sharing the machine’s system OS kernel. However, managing these containers becomes challenging as businesses start to run dozens or even hundreds of them simultaneously in their environments. In order to maintain the availability of an app, managers can streamline the procedure and disperse the container network traffic using Kubernetes.
Additionally, they can replace or destroy any deployed containers that don’t respond to their health checks using Kubernetes to set the appropriate state for those containers.
Attack by Cryptojackers
There is only one issue: Kubernetes configurations aren’t usually done correctly by organisations. For instance, StackRox discovered that 90% of respondents had suffered a security incident in their container and Kubernetes environments over the previous 12 months in the autumn 2020 edition of its “State of Container and Kubernetes Security” study.
Two-thirds of those people reported to StackRox that their companies had experienced a misconfiguration event, followed by 22%, 17%, and 16% of those who were required to fix a critical vulnerability, discovered a runtime incident and failed an audit. Due to these and other security worries, nearly half (44%) of survey participants chose to postpone putting an app into production.
Scammers are well aware of the difficulties enterprises have with secure Kubernetes deployments. They constantly search for errors that they may use for evil purposes because of this. This blog post will examine one such fraud attempt that used a Kubernetes misconfiguration to spread malware that mines cryptocurrency.
The Cryptojacking Attack Internally
Microsoft learned in June 2020 that cybercriminals had impacted tens of Kubernetes clusters—sets of node machines used to execute containerized apps—by focusing on Kubeflow. Kubeflow, which is based on Kubernetes, gives administrators the ability to integrate machine learning (ML) toolkits into workflows. The workflows can subsequently be installed in their cloud, on-premises, and other environments for testing or for use in actual production.
The Attack’s Mechanism
Microsoft claims that the error was caused by the fact that Kubeflow exposes its UI features via a dashboard inside the cluster. This vulnerability is specifically attributed to Istio, an ingress gateway that is by default accessible internally. Microsoft discovered that some customers were putting themselves in danger by changing Istio to Load-Balancer, nevertheless.
While doing so gives customers a direct route to the Kubeflow dashboard, it also makes Istio and the Kubeflow dashboard publicly accessible on the web. Anyone with unauthorised access to Kubeflow could use it to carry out actions like introducing harmful containers onto the cluster.
Information about the Attack Chain
Microsoft acknowledged that the assault was discovered in April after coming across a questionable picture in a public repository. The image was examined by the tech giant’s researchers, who discovered that the XMRig bitcoin miner was running on it. Additionally, they discovered that the image had infected several clusters, the majority of which were using Kubeflow.
An attacker may introduce a backdoor container into the cluster if they gained access to Kubeflow. They can achieve this by deciding to use a Jupyter notebook server to host an unauthorised container of their design. As an alternative, they can execute Python code to deploy a malicious container from a legal Jupyter notebook.
In any case, the attackers were able to achieve persistence within the cluster thanks to this malicious container. The mounted service account was then used to try to migrate laterally and deploy the container. They abandoned their cryptocurrency miner to complete their attack.
How to determine whether a cluster is impacted
Companies can follow Microsoft’s recommendation and make sure the malicious container isn’t installed in their cluster to determine if a cluster is affected. The command shown below will work.
jsonpath=”.items[*].spec.containers[*].image” in kubectl get pods -all-namespaces ddsfdfsaadfs | grep -i
Additionally, administrators must make sure that the Kubeflow dashboard is not accessible via the Internet. They can confirm that Istio does not have a public IP and is not a load balancer. Here is a command that will accomplish it:
service kubectl -n istio-system istio-ingress gateway
How to Install Kubeflow Securely
Microsoft advises businesses to prevent the distribution of untrusted images and to check their images for vulnerabilities in order to deploy Kubeflow securely. Additionally, organisations shouldn’t stop there with their Kubernetes security initiatives. As stated by StackRox in a blog post:
“While running image scans to look for known vulnerabilities in language packages and operating systems continues to be a key component of image security, it is simply one of a larger number of security measures you must take to safeguard your environments. To improve and maintain your organization’s security posture, make decisions about image architecture and handling based on your understanding of the risks at each stage of a container’s lifespan.
Crypto attack on Kubeflow: How to File a Report of Criminal
Share this information on social media to inform your loved ones and internet acquaintances about the Kubeflow cryptocurrency hack. Using this link, you can formally report criminal activities to the Federal Trade Commission (FTC):