RBAC (Role-Based Access Control), a Kubernetes API access control system, is being used by attackers to create persistent backdoor accounts in Kubernetes clusters and then seize resources for Monero mining. Experts from Aqua Security recently discovered the RBAC Buster campaign, which has already affected at least 60 misconfigured Kubernetes clusters.
The attack begins with gaining initial access through a misconfigured API. The attackers then check for competing malicious miners on the compromised server, and use RBAC to gain a foothold in the system. They create a new ClusterRole with administrator-level privileges, followed by a ServiceAccount kube-controller in the kube-system namespace. A ClusterRoleBinding is then created to bind the ClusterRole to the ServiceAccount, providing a secure and invisible backdoor.
In the last stage of the attack, the attackers create a DaemonSet to deploy a container image from Docker (kuberntesio/kube-controller:1.0.1) to all nodes. This container, which has been downloaded 14,399 times since its inception five months ago, contains a cryptocurrency miner for mining Monero. The container image is a tipsquatting attempt to impersonate a real kubernetesio account, and mimics the popular kube-controller-manager container, which is a critical component running in a pod on every node and is responsible for detecting and responding to failures.
The researchers were able to extract the addresses of the hackers’ wallets from the configuration file, and according to this data, the attackers have already mined about 5 XMR. Thus, potential attackers can earn around $200 per worker per year.
