Microsoft finds XMRIG malware for mining Monero in Kubeflow machine learning severs

0

Microsoft discovers cryptomining gang hijacking Kubeflow tool for machine learning in Kubernetes clusters

It seems the Monero crytpojacking hackers are going places. Now they have found they can hijack against Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters. This unique attack method was discovered by the Microsoft security team.

Microsoft report published today details how the security researchers found the Monero cryptojacking malware called XMRIG being embedded in Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters.

We can see that this image runs an XMRIG miner:

Kubeflow is an open-source project for running TensorFlow jobs (machine learning) on Kubernetes. Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This makes the Kubeflow fast but it also becomes an attractive target for Monero cryptocurrency miners.

According to Microsoft researchers, the hackers have been trying to get into Kubeflow since April this year with a goal of embedding the Monero cryptomining malware called XMRIG. The XMRIg GitHub page says that it is a high performance, open-source, cross-platform RandomX, CryptoNight, AstroBWT and Argon2 CPU/GPU miner, with official support for Windows.

According to Yossi Weizman, a security researcher with Microsoft’s Azure Security Center, the company has detected these types of attacks against “tens of Kubernetes clusters” running Kubeflow.

Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.

Yossi Weizman

The crytpojackers gained entry in the Kubeflow operations due to misconfigured Kubeflow instances. By default, the Kubeflow management panel is exposed only internally and accessible from inside the Kubernetes cluster. Microsoft researchers said that the hackers may have gained entry when the Kubeflow admins most likely changed the Kubeflow default settings and exposed the toolkit’s admin panel to the outside world.

How to check if your Kubeflow cluster is impacted?

  1. Verify that the malicious container is not deployed in the cluster. The following command can help you to check it:

kubectl get pods –all-namespaces -o jsonpath=”{.items[*].spec.containers[*].image}”  | grep -i ddsfdfsaadfs 

  1. In case Kubeflow is deployed in the cluster, make sure that its dashboard isn’t exposed to the internet: check the type of the Istio ingress service by the following command and make sure that it is not a load balancer with a public IP:

kubectl get service istio-ingressgateway -n istio-system

The Monero cryptojacking hackers are getting more bolder. Last month we saw an unknown group of Monero cryptojackers hack into dozens of supercomputers around Europe and in the United Kingdom by hijacking the login nodes and hosting their Monero cryptomining malware.

Share.

About Author

Hacker, coder, Jouno by night When a good man is hurt, all who would be called good must suffer with him

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments