Cryptomining syndicate hijacks Kubernetes clusters
Clusters running machine learning operations are being hijacked to mine Monero
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Microsofthas released a new report highlighting a new series of attacks targeting a toolkit called Kubeflow which is used for running machine learning operations on top ofKubernetesclusters.
The attacks first began in April of this year and have continued with the aim of installing acryptocurrency mineron Kubernetes clusters that are exposed to the internet and run Kubeflow.
In ablog post, security research software engineer at the Azure Security Center, Yossi Weizman provided more details on Kubeflow and why nodes used formachine learningtasks are such an attractive target for cybercriminals, saying:
“Kubeflow is an open-source project, started as a project for running TensorFlow jobs on Kubernetes. Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.”
Misconfigured Kubeflow instances
Microsoft has tracked these attacks since they first started showing up online back in April. However, after the first attack wave, the cryptomining syndicate behind them switched from targeting general-purpose Kubernetes clusters to focus specifically on those usingKubeflowto run machine learning operations.
Based on findings from its initial investigation, the software giant now believes that misconfigured Kubeflow instances are the most likely point of entry for the attackers. This is likely the result of Kubeflow admins changing the toolkit’s default settings which exposed its admin panel online. By default, the Kubeflow management panel is only accessible from inside the Kubernetes cluster and not over the internet.
According to Weizman, a cryptomining syndicate is now actively scanning for these dashboards online. When found, the group deploys a new server image to Kubeflow clusters that runs aMonerocryptocurrency mining application called XMRig.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Server admins can check to see if their Kubeflow instances have been hacked by entering this command:kubectl get pods –all-namespaces -o jsonpath=”{.items[].spec.containers[].image}” | grep -i ddsfdfsaadfs. To prevent falling victim to these attacks, server admins should make sure that Kubeflow’s daashboard is not exposed to the internet.
ViaZDNet
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
