The cryptocurrency space is a relatively new industry and is growing rapidly, which means it has to deal with its fair share of problems. One of them includes cybercriminals illegally mining cryptocurrencies through the use of malware and other vulnerabilities in people’s systems. One of the most popular cryptocurrencies that are mined this way is Monero, which is known for the security and privacy it offers, making it difficult to track the criminals behind it. Now, it appears they have found another way of doing so. One of the most popular execution engines known by the name of Argo Workflows has an attack vector.
It is now being abused by attackers for repurposing Kubernetes systems for mining cryptocurrencies. The Argo Workflows machines that are connected to the internet have a vulnerability in their system of permissions and this is being exploited by the attackers. They are deploying malicious workflows, which install containers based on Monero. Argo Workflows is one of the widely used execution engines when it comes to Kubernetes and a group of attackers has unearthed this vulnerability. They are now using it for installing crypto-mining modules in all machines that are connected to the internet.
Kubernetes is essentially the most widely used cloud computing system and this vulnerability will mean that every instance could be used for mining Monero, as long as it is paired with Argo Workflows. A cybersecurity firm by the name of Intezer posted a report, which reveals that infected nodes have already been identified, along with the ones that are vulnerable to this kind of attack. Any user can pin these unprotected nodes and they will be able to add their own workflows into the system. This means that the resources of a vulnerable system could be used by just about anyone and they will be able to direct them to the task of their choice, which in this case, is mining Monero.
The good thing for attackers is that there are a number of crypto mining containers based on Monero that can be leveraged easily for initiating crypto mining by using these Kubernetes machines. While the kannix/monero-miner is used for deriving the majority of them, there are more than 45 containers that can be used. Therefore, security experts expect that this vulnerability will be used for conducting large-scale attacks. This is just one of the latest attack vectors to have compromised cloud computing platforms and then leveraging them for crypto mining.
Last month, Microsoft had disclosed that a similar attack had occurred targeting Kubernetes clusters. The vulnerable nodes had been used for mining Monero as well as Ether. It was back in April 2020 that attacks to this type of platform gained traction. Even then, it was Microsoft that had reported an instance that had resulted in the infection of tens of thousands within two hours only. Companies have also been driven to switch their policies due to these attacks in order to avoid abuse. Docker is one such example of a company that did so.