Kubernetes: Malicious Actors Exploiting Misconfigured Argo Workflows

Cybersecurity researchers raise the alarm on dark web activity involving misconfigured Argo instances and Cryptojacking.

July 28, 2021, 1:08 p.m.

TL;DR

Intezer, on July 20, 2021, raised to public awareness a string of cyberassaults involving Argo's web dashboard on Kubernetes clusters.

Misconfigurations have been around for as long as computing itself.

Key Facts

1
The perceived endgame of these strings of operations is Monero mining.
2
Intezer has spotted affected nodes, and thanks to hundreds of misconfigured installations, there is the possibility of larger-scale attacks.
3
Kubernetes (K8s) clusters, being the primary influence behind the development of Argo Workflows, are the prime targets.
4
The actors are infusing crypto miners into the cloud through easily accessible Argo workflow nodes.

Details

Shortly after its counterpart, Bitdefender published a report of a Romanian cryptojacking campaign using brute-force strategy, cybersecurity researchers, Intezer, have removed the veil of cyber assaults from unauthenticated attackers employing different tactics but similar goals.

Argo Workflows, a ubiquitous term to cloud developers, data analysts, and GitOps, is well known for its efficiency and processing speed for machine learning and big data processing. It is an open source engine used to simplify container workflows and was designed to run on Kubernetes (k8s) clusters.

The string of attacks is believed to have kicked off in April 2020. Many malicious actors joining the action have exploited instances of Argo Workflows belonging to organizations from notable sectors across technology, logistics, and finance. In the report, the front row researchers Nicole Fishbein detailed that the most concerning bit about the attacks were the hundreds of misconfigured deployments and the trail of crypto mining activities with the Kannix and Monero-miner injected into the nodes with this vector.

These attacks do not require professional knowledge or skills; they are easy to carry out. Researchers found Kannix, XMRig, and many other common crypto-mining malware in containers in public and private repositories. The threat actors only have to deploy a container into Kubernetes through Argo or other rather convenient alternatives. Microsoft, in fact, recently identified a group of miners infesting Kubernetes via the Kubeflow platform for running machine-learning workflows. Docker, at some point, also had to exert limits on its free tier because attackers were exploiting its auto-build function to inject its free servers with cryptocurrency miners.

Misconfigurations have been around for as long as computing itself. They are ineluctable and will continue to plague global cloud computing. A 2020 Cloud Native Computing Foundation (CNCF) survey with most respondents well familiar with Kubernetes stated that complexity, lack of training, and security were the top challenges that came with container deployment.

There remains the likelihood of other forms of attacks, according to researchers. The misconfigurations also spill credentials, code, and other forms of sensitive information out in the open.

Moving forward, users would do well to view the Argo Workflows dashboard from an unauthenticated identity concealer outside of corporate systems to spot instances that are misconfigured. Admins can also look through the logs and the workflow timeline for any questionable behavior. Any workflows that have been running for an abnormal amount of time, according to Intezer, could indicate crypto mining activities.