UPDATED 21:40 EST / FEBRUARY 03 2021

SECURITY

Newly detected malware targets Kubernetes clusters for cryptocurrency mining

A newly detected form of malware has been detected in the wild, targeting Kubernetes clusters for cryptocurrency mining.

Detailed today by security researchers at Palo Alto Networks Inc.’s Unit 42, the malware, dubbed “Hildegard,” was first detected in January and is believed to have been designed by the TeamTNT threat group.

Hildegard targets Kubernetes clusters via a misconfigured kubelet, the primary node agent that runs on each Kubernetes node. Having gained access, the malware then attempts to spread over as many containers as possible before launching cryptojacking operations. Cryptojacking is the process in which infected servers or networks are exploited without permission to mine for cryptocurrency.

The malware utilizes many of the same tools and domains used by TeamTNT in previous campaigns but also is said to harbor new capabilities that make it harder to detect and for persistence. In one example, Hildegard uses two different ways to connect to the command-and-control server: internet relay chat and a tmate reverse shell, the latter a form of terminal session communications. The malware also mimics a Linux process name to disguise its communications.

TeamTNT was last in the news in January with a campaign that targets Docker application programming interfaces and Amazon Web Services Inc. credentials through a botnet.

The researchers warn that the most significant impact of the malware is resource hijacking and denial of service. The cryptojacking operation can drain an entire system’s resources and disrupt every application in the cluster.

“In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities,” Tal Morgenstern, co-founder and chief product officer at remediation intelligence provider Vulcan Cyber Ltd., told SiliconANGLE. “DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation especially for external-facing assets and high-risk vulnerabilities.”

Morgenstern added that Kubernetes can be quickly secured, “but it takes work, focus and cross-team collaboration to get the fix done and prevent these kinds of attacks.”

Jack Mannino, chief executive officer at application security provider nVisium LLC, noted that “combined with weakness in access control and isolation, this is a good way to gain a foothold into a cluster and establish command and control. As more production workloads move to cloud-native, the complexity of securing clusters, software development pipelines and cloud architectures becomes incredibly difficult, as the attack surface significantly expands.”

Photo: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU