Researchers detect new malware targeting Kubernetes clusters to mine Monero

Topline

On February 3, cybersecurity researchers disclosed the detection of a new malware targeting Kubernetes clusters, with the aim of seeding a malicious miner of the Monero cryptocurrency (XMR). This was announced by the cybersecurity firm Palo Alto Networks, through a publication on its website.

Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.
Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.
Key Facts
  1. 1

    Kubernetes is an open-source platform used for handling containerized applications

  2. 2

    Security firm Palo Alto Networks revealed the detection of new malware, called Hildegard, aimed at using Kubernetes cluster resources to stealthily mine the cryptocurrency Monero (XMR).

  3. 3

    Researchers at Palo Alto Networks Unit 42 explained that a new, larger-scale attack is likely, leveraging Kubernetes' abundant computing resources for malicious cryptocurrency mining, as well as extracting sensitive data from thousands of container-hosted applications.

Details

Palo Alto Networks Unit 42 baptized this new malware with the name Hildegard because that was how it identified, "the user of the ultimate account who used the malware." Researchers from the cybersecurity firm detailed that this new malware campaign was detected last month, whose attack targets were clusters of Kubernetes.

It should be noted that the Kubernetes project was released in 2014 by Google, and consists of " a portable and extensible open-source platform for managing workloads and services ". According to Palo Alto Networks researchers, cyber attackers operating Hildegard exploited a vulnerability detected in a Kubernetes, an element that is part of the Kubernetes architecture, responsible for the execution status of each node on the network.

“The attackers gained initial access through a misconfigured Kubernetes that allowed anonymous access. Once it was established in a Kubernetes cluster, the malware tried to spread across as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.”

From Palo Alto Networks they explained that this campaign of attacks Hildegard " is one of the most complicated attacks aimed at Kubernetes " and also is the malware of cyber attackers of TeamTNT with more features detected so far.

In this sense, cybersecurity specialists indicated that the greatest impact that Hildegard has is the kidnapping of resources for cryptocurrency extraction and the denial of service (DoS)." The cryptojacking operation can quickly deplete the resources of the entire system and disrupt all applications in the cluster, " reported the cybersecurity firm.

Notably, the researchers discovered that Hildegard's malicious cryptocurrency mining operation consists of the non-consent mining of the Monero (XMR) cryptocurrency, via the XMRig miner. The cryptojacking or criptomonedas mining malicious exploit is a form of third party resources covertly and unauthorized to undermine cryptographic currencies; This type of threat can affect not only mobile devices and computers but also web browsers and even network servers.

The mining process detected by the members of Palo Alto Networks already carried, until the moment the researchers disseminated the information, a hash power or processing rate (hash rate) of about 25.05 KH, and an address associated with the process He had already accumulated about 11 XMR, equivalent to about 1,500 USD, approximately.

Despite all the above, the cybersecurity experts at Unit 42 considered that this campaign with the Hildegard malware is just beginning, given the indications that it is still in development. The researchers came to that conclusion after noting that much of Hildegard's infrastructure has barely been online for a month, and that, like its codebase, it is apparently incomplete.

Last month, the Taiwanese company QNAP Systems warned about a malware campaign targeting its devices, which uses a new malware, called Dovecat, which is capable of installing Bitcoin (BTC) miners without the consent of the owners of the devices. equipment. This new threat has among its targets an attack on its line of storage devices connected to the network (QNAP NAS), and the company's alert was issued after receiving reports from users affected by this malicious software.

Share this news with your followers / Subscribe to our newsletter