Kubernetes is one of the most well-known and powerful open-source container platforms, designed for automating the deployment, management, and scaling of containerized applications. It’s the next big thing in the cloud computing world.

On May 28, 2021, news came out that Trend Micro’s cybersecurity researchers have recently discovered a new threat attack in which the Cryptojacking attack organization named TeamTNT has compromised over 50,000 IP addresses across many Kubernetes clusters. Kubernetes has always been a tempting target for threat actors because it is frequently misconfigured, especially for applications that run predominantly in cloud settings and have access to limitless resources.

An unsuspecting user lands on a compromised webpage with a little piece of JavaScript containing the Cryptojacking code; this is the core assumption of how Cryptojacking attacks happen. This Cryptojacking code solves a series of difficult mathematical problems for the victim and transmits the results to the hacker’s server. Cryptojacking is a hostile attack in which the hardware of unsuspecting user’s computers is used to mine cryptocurrency, which is a network of specialized devices that utilize their computational capacity to validate successful transactions in a database. 

A Kubernetes cluster has been compromised and thanks to Trend Micro security researchers who were able to acquire a file from the threat actors’ servers. According to experts, the file ‘Kube.lateral.sh’ has an extremely low detection rate in VirusTotal. The hackers first disable the bash history of the host they’ve targeted to set the environment. However, the scripts were mostly utilized to eventually install the crypto miner as well as the XMRig Monero miner binaries. The network scanning tool Masscan, which was written in the C programming language, and the banner-grabbing, deprecated Zgra, which was written in Go language, were both employed in this attack. Furthermore, these scripts contain a big base64 encoded code block that allows hackers to install an IRC bot named ‘Kaiten’. After all of this, the specialists came across the function Kube pwn() in the last part of the script. This function utilizes Masscan to determine whether or not any hosts are listening on port 10250.

We can easily check from an external IP by contacting the API server, which will reveal whether or not the API is available. Furthermore, because this is not the first instance of Crypto hijacking, the number of targets is growing, and specialists are doing everything they can to keep track of the attacks.

– Navya Swarup

Campus Ambassador, WCSF

error: Content is protected !!
Share This