A recent large-scale attack campaign, nicknamed RBAC Buster, has been discovered exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and execute cryptocurrency mining operations. Israeli cloud security firm Aqua has shared its findings on this malicious activity after identifying 60 vulnerable K8s clusters targeted by the threat actors behind the campaign.
Gaining Initial Access through Misconfigured API Servers
The RBAC Buster attack chain begins with the threat actor obtaining initial access through a misconfigured API server. Once inside the compromised server, the attacker searches for competing miner malware before utilizing RBAC to establish persistence within the system.
Aqua’s report details the attacker’s steps: “The attacker created a new ClusterRole with near admin-level privileges. Next, the attacker created a ‘ServiceAccount,’ and ‘kube-controller’ in the ‘kube-system’ namespace. Lastly, the attacker created a ‘ClusterRoleBinding,’ binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.”
In the cases observed against Aqua’s K8s honeypots, the attacker sought to exploit deliberately exposed AWS access keys to gain a stronger foothold in the environment, exfiltrate data, and break free from the cluster’s confines.
Deploying Cryptocurrency Miners through DaemonSets
The final phase of the RBAC Buster attack involves the threat actor creating a DaemonSet to deploy a container image hosted on Docker (“Kubernetes/kube-controller:1.0.1”) across all nodes. This container, downloaded 14,399 times since its upload five months ago, contains a cryptocurrency miner.
Aqua noted, “The container image named ‘Kubernetes/kube-controller’ is a case of typosquatting that impersonates the legitimate ‘Kubernetes’ account. Unfortunately, the image also mimics the popular ‘kube-controller-manager’ container image, a critical component of the control plane, running within a Pod on every master node, responsible for detecting and responding to node failures.”
Similarities to Another Cryptocurrency Mining Operation
Interestingly, some tactics used in the RBAC Buster campaign resemble those in another illegal cryptocurrency mining operation that leveraged DaemonSets to mine Dero and Monero. It remains uncertain whether these two sets of attacks are connected.
The attack has various stages, from gaining initial access through misconfigured API servers to deploying cryptocurrency miners through DaemonSets. It also highlights the similarities between this campaign and other illicit cryptocurrency mining operations.
None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.
