Microsoft has warned of ongoing attacks on Kubernetes clusters running Kubeflow (an open source project that allows running super powerful machine learning computing on top of Kubernetes clusters).
Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies.
Researchers say the attacks appear to be a continuation of a campaign that was discovered last April. Although that campaign peaked in June and then dwindled, new attacks began in late May 2021 when researchers noticed a sudden increase in deployments of the open source machine learning library TensorFlow, adapted for mining.
In this case, deployments in different clusters occurred simultaneously.
Although the pods used by the hackers were taken from the official Docker Hub repository, they were modified to mine cryptocurrency. At the same time, all pods are named according to the sequential-pipeline-{random pattern} pattern, which now makes it quite easy to detect possible compromises.
According to the company, in order to gain access to clusters and deploy miners to them, attackers search the network for incorrectly configured and publicly available Kubeflow dashboards that should be open only for local access.
Attackers deploy at least two separate modules on each of the compromised clusters: one for CPU mining and the other for GPU mining. So, XMRig is used to mine Monero using a CPU, and Ethminer is used to mine Ethereum on a GPU.
Microsoft recommends that administrators always enable authentication on Kubeflow dashboards if they cannot be isolated from the internet and control their environments (containers, images, and the processes they run).
Let me remind you that I wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.