Microsoft warns of cryptomining attacks targeting Kubeflow on Kubernetes
Microsoft Corp. has issued a warning that hackers are targeting Kubeflow, a machine learning toolkit for Kubernetes, to install cryptomining code.
The attacks were first detected in April and involve hackers targeting Kubernetes nodes running Kubeflow. The nodes were not so much misconfigured but rather settings had been changed.
In a blog post Wednesday, Yossi Weizman, security research software engineer at the Azure Security Center explained that the campaign was first detected when the ASC team observed deployment of a suspect image from a public repository on many different clusters. That image included the XMRIG miner, a cryptocurrency miner that exploits CPU resources to mine for the Monero cryptocurrency.
Those behind the campaign are gaining access to Kubeflow via Istio ingress, a gateway located on the edge of the cluster network. The default setting usually prevents this sort of attack by blocking those on the internet from gaining access to the dashboard and being able to make unauthorized changes. In this case, and why this isn’t a misconfiguration as such, users have been disabling the default security setting.
“We believe that some users chose to do it for convenience: without this action, accessing the dashboard requires tunneling through the Kubernetes API server and isn’t direct,” Weizman explained. “By exposing the service to the Internet, users can access the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.”
Weizman recommended that to make sure that a dashboard isn’t exposed to the internet, users should check the type of the Istio ingress service by the following command and make sure that it is not a load balancer with a public IP:
kubectl get service istio-ingressgateway -n istio-system
Wei Lien Dang, co-founder and chief strategy officer at Kubernetes security platform provider StackRox Inc., told SiliconANGLE today that cryptojacking is a still a popular attack.
“Organizations should be mindful of the registries that users/clusters are allowed to download from,” Lieng Dang explained. “They should use private trusted registries, whitelist allowed images and take other precautions to verify source assets.”
As Kubernetes clusters get larger and more powerful, he added, they’ll become even more attractive for this type of attack. “Organizations must take specific steps to ensure they’re protecting their container and Kubernetes assets across build, deploy and runtime,” he said.
Image: Kubeflow
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU