Attackers have discovered a new method to exploit the Kubernetes cluster to establish persistent entry on the cluster and abuse the resources to mine cryptocurrency. This large-scale attack campaign abuses misconfigured Role-Based Access Control (RBAC) to create backdoor entry points and leverage DaemonSets to run cryptominers.
What has been discovered?
The AquaSec research team claims that this novel attack method, dubbed RBAC Buster, is the first such case of abuse of Kubernetes RBAC to gain persistence.
This attack method has been used to target at least 60 misconfigured clusters in the wild so far.
The attacks used a malicious container image with the typosquatted name kuberntesio/kube-controller:1.0.1, masquerading as the genuine account kubernetesio and the genuine image kube-controller-manager.
In the last five months, this image has been downloaded over 14,000 times. Moreover, the attacker has already minted five XMR so far, indicating the success of this campaign.
RBAC Buster attack
The RBAC Buster attack begins with an unauthenticated request sent to a misconfigured API server that accepts requests from anonymous users.
The attacker sends API requests to obtain the list of secrets, and details about the cluster.
Checks are performed to ensure that the cluster is not already compromised. In case there are deployments from other attackers, those are disabled to free the resources.
Next, the attacker attempts to abuse the RBAC to gain persistence on the cluster. It creates a new ClusterRole having admin-like privileges, abuses it to create a new service account, and binds it with the role to create stronger persistence.
Finally, it creates a DaemonSet (a controller to manage the pod) to deploy the malicious container image (kuberntesio/kube-controller), and start mining the Monero on the infected server.
Ending notes
The RBAC Buster attack aims to exploit the Kubernetes cluster using an unseen and unusual tactic, which makes it a dangerous threat to deal with. According to experts, a proactive defense strategy is the best way to deal with such situations. Kubernetes admins are suggested to restrict unauthenticated requests from anonymous users and enforce strict policies regarding access to the resources.