26 July 2021

Malicious actors target Kubernetes clusters via Argo Workflows


Malicious actors target Kubernetes clusters via Argo Workflows

Security researchers at Intezer have warned of a new series of attacks, where threat actors target Kubernetes (K8s) clusters via misconfigured Argo Workflows instances to deploy cryptomining software.

Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. The researchers said they discovered a number of unprotected instances, operated by companies in several industries including technology, finance and logistics. In some cases, attackers abused Argo Workflows instances with misconfigured permissions to run unauthorized code on the target’s environment.

Argo uses YAML files to define the type of work to be performed, with the workflows being executed either from a template or submitted directly using the Argo user interface. On instances with misconfigured permissions attackers could access an open Argo dashboard and submit their own workflow. In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner, Intezer said.

The container uses XMRig to mine for Monero and is being abused by threat actors to run crypto-jacking operations. It can be easily abused by threat actors of any skill level, as all that is required is to change the address of who the mined cryptocurrency would be deposited to.

“In Docker Hub there are still a number of options for Monero mining that attackers can use. With a simple search it shows that there are at least 45 other containers with millions of downloads,” Intezer said.

Users could check if an instance has been misconfigured by accessing the Argo Workflows dashboard from an unauthenticated incognito browser outside their corporate environment. Another option is to query the API of the instance and check the status code.

“Make a HTTP GET request to [your.instance:port]/api/v1/info. A returned HTTP status code of “401 Unauthorized” while being an unauthenticated user will indicate a correctly configured instance, whereas a successful status code of “200 Success” could indicate that an unauthorized user is able to access the instance,” the researchers explained.

“If you suspect that your Argo instance has been misconfigured and exposed to the internet with excessive permissions, check for any suspicious activity in the logs and in the workflow timeline. Make sure that there are no workflows that have been running for an excessive amount of time. This might be an indicator of a cryptominer running on your cluster.”


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021