Kubernetes: Malicious Actors Exploiting Misconfigured Argo Workflows

Cybersecurity researchers raise the alarm on dark web activity involving misconfigured Argo instances and Cryptojacking.


Intezer, on July 20, 2021, raised to public awareness a string of cyberassaults involving Argo's web dashboard on Kubernetes clusters.

Misconfigurations have been around for as long as computing itself.
Misconfigurations have been around for as long as computing itself.
Key Facts
  1. 1

    The perceived endgame of these strings of operations is Monero mining.

  2. 2

    Intezer has spotted affected nodes, and thanks to hundreds of misconfigured installations, there is the possibility of larger-scale attacks.

  3. 3

    Kubernetes (K8s) clusters, being the primary influence behind the development of Argo Workflows, are the prime targets.

  4. 4

    The actors are infusing crypto miners into the cloud through easily accessible Argo workflow nodes.


Shortly after its counterpart, Bitdefender published a report of a Romanian cryptojacking campaign using brute-force strategy, cybersecurity researchers, Intezer, have removed the veil of cyber assaults from unauthenticated attackers employing different tactics but similar goals.

Argo Workflows, a ubiquitous term to cloud developers, data analysts, and GitOps, is well known for its efficiency and processing speed for machine learning and big data processing. It is an open source engine used to simplify container workflows and was designed to run on Kubernetes (k8s) clusters.

The string of attacks is believed to have kicked off in April 2020. Many malicious actors joining the action have exploited instances of Argo Workflows belonging to organizations from notable sectors across technology, logistics, and finance. In the report, the front row researchers Nicole Fishbein detailed that the most concerning bit about the attacks were the hundreds of misconfigured deployments and the trail of crypto mining activities with the Kannix and Monero-miner injected into the nodes with this vector.

These attacks do not require professional knowledge or skills; they are easy to carry out. Researchers found Kannix, XMRig, and many other common crypto-mining malware in containers in public and private repositories. The threat actors only have to deploy a container into Kubernetes through Argo or other rather convenient alternatives. Microsoft, in fact, recently identified a group of miners infesting Kubernetes via the Kubeflow platform for running machine-learning workflows. Docker, at some point, also had to exert limits on its free tier because attackers were exploiting its auto-build function to inject its free servers with cryptocurrency miners.

Misconfigurations have been around for as long as computing itself. They are ineluctable and will continue to plague global cloud computing. A 2020 Cloud Native Computing Foundation (CNCF) survey with most respondents well familiar with Kubernetes stated that complexity, lack of training, and security were the top challenges that came with container deployment.

There remains the likelihood of other forms of attacks, according to researchers. The misconfigurations also spill credentials, code, and other forms of sensitive information out in the open.

Moving forward, users would do well to view the Argo Workflows dashboard from an unauthenticated identity concealer outside of corporate systems to spot instances that are misconfigured. Admins can also look through the logs and the workflow timeline for any questionable behavior. Any workflows that have been running for an abnormal amount of time, according to Intezer, could indicate crypto mining activities.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …