Cybersecurity researchers at Aqua Security said they discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors.
The research team has spotted a large-scale cryptocurrency mining campaign they dubbed ‘RBAC Buster’ that targeted at least 60 Kubernetes clusters by deploying DaemonSets to hijack and steal resources from the victims' clusters.
Kubernetes Role-based access control or RBAC, is the mechanism that allows to configure specific sets of permissions that define how a given user, or group of users, can interact with any Kubernetes object in cluster, or in a specific Namespace of cluster.
The novel technique was discovered while analyzing an attack on the team’s Kubernetes honeypots that used the RBAC system to gain persistence. The threat actor deployed containers using DaemonSets to run Monero cryptominers.
The attackers gained initial access via a misconfigured API server and then sent a few HTTP requests to list secrets and then made two API requests to gain information about the cluster by listing the entities in the ‘kube-system’ namespace.
“The attacker also attempted to delete some existing deployments in various namespaces, including 'kube-secure-fhgxtsjh', 'kube-secure-fhgxt', 'api-proxy', and 'worker-deployment'. We assume that the attacker was disabling legacy campaigns or competitors' campaigns to increase available CPU and reduce the chances of being discovered if the server was exhausted,” the researchers said.
The threat actor used RBAC to gain persistence by creating a new ClusterRole with near admin-level privileges. Next, the attacker created a 'ServiceAccount', 'kube-controller' in the 'kube-system' namespace and a 'ClusterRoleBinding', binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence.
The threat actor then created a DaemonSet to deploy containers on all nodes with a single API request. The DaemonSet creation request object contained the container image on kuberntesio/kube-controller:1.0.1, hosted on the public registry Docker Hub. The container was pulled 14,399 times since it was uploaded five months ago.
Further analysis revealed that each container image had the binary kube-controller and was detected in the VirusTotal as a cryptominer.
The wallet address associated with this campaign indicated that the attackers had already mined 5 XMR, and at this rate of mining, they could gain another 5 per year ($200) from a single worker, Aqua Security notes.
