A newly detected form of malware has been detected in the wild, targeting Kubernetes clusters for cryptocurrency mining.

Detailed today by security researchers at Palo Alto Networks Inc.’s Unit 42, the malware, dubbed “Hildegard,” was first detected in January and is believed to have been designed by the TeamTNT threat group.

Hildegard targets Kubernetes clusters via a misconfigured kubelet, the primary node agent that runs on each Kubernetes node. Having gained access, the malware then attempts to spread over as many containers as possible before launching cryptojacking operations. Cryptojacking is the process in which infected servers or networks are exploited without permission to mine for cryptocurrency.

The malware utilizes many of the same tools and domains used by TeamTNT in previous campaigns but also is said to harbor new capabilities that make it harder to detect and for persistence. In one example, Hildegard uses two different ways to connect to the command-and-control server: internet relay chat and a tmate reverse shell, the latter a form of terminal session communications. The malware also mimics a Linux process name to disguise its communications.

TeamTNT was last in the news in January with a campaign that targets Docker application programming interfaces and Amazon Web Services Inc. credentials through a botnet.

The researchers warn that the most significant impact of the malware is resource hijacking and denial of service. The cryptojacking operation can drain an entire system’s resources and disrupt every application in the cluster.

“In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities,” Tal Morgenstern, co-founder and chief product officer at remediation intelligence provider Vulcan Cyber Ltd., told SiliconANGLE. “DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation especially for external-facing assets and high-risk vulnerabilities.”

Morgenstern added that Kubernetes can be quickly secured, “but it takes work, focus and cross-team collaboration to get the fix done and prevent these kinds of attacks.”

Jack Mannino, chief executive officer at application security provider nVisium LLC, noted that “combined with weakness in access control and isolation, this is a good way to gain a foothold into a cluster and establish command and control. As more production workloads move to cloud-native, the complexity of securing clusters, software development pipelines and cloud architectures becomes incredibly difficult, as the attack surface significantly expands.”

Photo: Unsplash