Hackers are using a new method involving Role-Based Access Control (RBAC) to create persistent backdoor accounts on Kubernetes clusters and divert their resources for Monero crypto-mining.
RBAC is a Kubernetes API access control system that allows administrators to define which users or service accounts can access API resources and operations.
By abusing RBAC to enforce malicious access control policies, threat actors can persist on compromised clusters even if the misconfiguration that provided initial access is patched in the future.
This new type of attack was discovered by Water safetyThe “Nautilus” research team, which named the campaign “RBAC Buster”.
Analysts report that the attack campaign was actively used to compromise 60 misconfigured Kubernetes clusters.
Aqua Security was able to log and analyze the attack after threat actors breached one of its Kubernetes honeypots that were deliberately misconfigured to expose APIs and access keys.
Initial access to the target Kubernetes cluster is gained through unauthenticated requests from anonymous users with privileges. The API server must therefore be misconfigured.
Next, the attacker sends HTTP requests to list secrets and makes API requests to gather information about the cluster by listing entities in the “kube-system” namespace.
At this point, the attacker checks if the server has already been compromised by his campaign, deployed as a “kube-controller”, or if other competing cybercriminals have already compromised the cluster. If it finds other attackers’ deployments, it will delete them to take control of the device’s resources for its own malicious use.
The next step is when the attacker gains persistence on the cluster by creating a new “ClusterRole” with near admin-level privileges and a “kube-controller” ServiceAccount in the “kube-system” namespace.
Finally, the attacker creates a ClusterRoleBinding named “system:controller:kube-controller”, binding the ClusterRole to the ServiceAccount to persist in the cluster even in case “anonymous user access” is disabled.
A ClusterRoleBinding named ‘kube-controller’ was used to evade detection and blend into the logs, as that name is similar to a legitimate demon used by Kubernetes.
AquaSec’s honeypot deliberately exposed AWS access keys, and the security firm noticed that attackers were exploiting them to try to gather additional information from the cloud instance they could access.
The last step of the attack is to create a DaemonSet to deploy a Docker Hub-hosted container image (“kuberntesio/kube-controller”) to all nodes with a single API request and start mining the hard-to-use cryptocurrency. trace Monero to the compromised server.
Deployed by typosquatting
Aqua Security discovered that the malicious ‘kube-controller’ container was deployed from the Docker public registry as ‘kuberntesio/kube-controller:1.0.1’. This name mimics the legitimate “kubernetesio” account and the popular “kube-controller-manager” image.
The latter is a critical, continuously running component of the Kubernetes control plane responsible for detecting and responding to node failures, so it’s easy for administrators to overlook it.
AquaSec reports that the particular container image has been pulled over 14,000 times from Docker Hub in the five months since it was first uploaded to the repository, indicating that the campaign is widespread.
Retrieving the wallet address from the configuration file revealed that the attacker had already mined 5 XMR and has the potential to earn the equivalent of $200 per worker per year.
The repercussions of RBAC Buster attacks on Kubernetes clusters can be significant and include unauthorized access to data, exposure of secrets, misappropriation of resources, and potentially even reputational damage.
To mitigate the threat, secure the API server by disallowing unauthenticated requests from anonymous users and create and enforce strict API access policies using RBAC effectively.
Administrators are also advised to monitor audit logs and encrypt all secrets and account credentials hosted in the cluster.