A new report from security researchers at CrowdStrike Holdings Inc. details what’s believed to be the first-ever cryptojacking campaign targeting Kubernetes infrastructure and involving the Dero cryptocurrency.

If you’ve never heard of Dero before, you wouldn’t be alone. It was launched in December 2017 and supports wholly anonymous transactions. The anonymous part is the key to Dero’s appeal, which is why it’s often compared to the better-known Monero.

According to the CrowdStrike researchers, Dero offers improved privacy, anonymity and higher and faster monetary rewards than Monero. The mixture of anonymity and large rewards is described as a “perfect match for attackers.”

The novel Dero cryptojacking operation concentrates on locating clusters with anonymous access enabled on a Kubernetes application programming interface and listening on nonstandard ports accessible from the internet. The attacks have been observed constantly by CrowdStrike since the beginning of February 2023 from three servers based in the U.S.

Attackers carefully target Kubernetes clusters on nonstandard ports by scanning and identifying exposed vulnerable clusters with authentication set as “–anonymous-auth=true,” which allows anonymous access to the API. A user with sufficient privileges who runs ”Kubectl proxy” can unintentionally expose a secure Kubernetes API on the host where kubectl is running, which is a less obvious way to expose the secure cluster bypassing authentication.

The researchers note that Kubernetes out of the box doesn’t allow anonymous access to the control plane API. But there are several ways it can be accidentally exposed, creating a legacy of exposed systems on the internet.

Once the attackers gain access, they make no attempts to pivot either by moving laterally to attack further resources or scan the internet for discovery, a typical pattern in cryptojacking campaigns. Instead, they simply deploy their Dero cryptojacking script and move along.

Perhaps because there’s no honor among thieves, some of the Dero campaigns targeting Kubernetes were observed being targeted by an existing Monero cryptojacking operation. The modified Monero campaign kicks out the DaemonSets used for Dero cryptojacking in the cluster before taking it over.

“As Kubernetes has become the most popular container orchestrator in the world, attackers have opportunistically targeted Kubernetes and Docker misconfigurations, design weaknesses and zero-day vulnerabilities,” the researchers conclude. Those hosting Kubernetes or Docker clusters are warned that it is important to use protection against sophisticated breaches, including cryptojacking campaigns, with a cloud-native application protection platform. 

Image: Dero