Researchers detect new malware targeting Kubernetes clusters to mine Monero


On February 3, cybersecurity researchers disclosed the detection of a new malware targeting Kubernetes clusters, with the aim of seeding a malicious miner of the Monero cryptocurrency (XMR). This was announced by the cybersecurity firm Palo Alto Networks, through a publication on its website.

Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.
Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.
Key Facts
  1. 1

    Kubernetes is an open-source platform used for handling containerized applications

  2. 2

    Security firm Palo Alto Networks revealed the detection of new malware, called Hildegard, aimed at using Kubernetes cluster resources to stealthily mine the cryptocurrency Monero (XMR).

  3. 3

    Researchers at Palo Alto Networks Unit 42 explained that a new, larger-scale attack is likely, leveraging Kubernetes' abundant computing resources for malicious cryptocurrency mining, as well as extracting sensitive data from thousands of container-hosted applications.


Palo Alto Networks Unit 42 baptized this new malware with the name Hildegard because that was how it identified, "the user of the ultimate account who used the malware." Researchers from the cybersecurity firm detailed that this new malware campaign was detected last month, whose attack targets were clusters of Kubernetes.

It should be noted that the Kubernetes project was released in 2014 by Google, and consists of " a portable and extensible open-source platform for managing workloads and services ". According to Palo Alto Networks researchers, cyber attackers operating Hildegard exploited a vulnerability detected in a Kubernetes, an element that is part of the Kubernetes architecture, responsible for the execution status of each node on the network.

“The attackers gained initial access through a misconfigured Kubernetes that allowed anonymous access. Once it was established in a Kubernetes cluster, the malware tried to spread across as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques, and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT.”

From Palo Alto Networks they explained that this campaign of attacks Hildegard " is one of the most complicated attacks aimed at Kubernetes " and also is the malware of cyber attackers of TeamTNT with more features detected so far.

In this sense, cybersecurity specialists indicated that the greatest impact that Hildegard has is the kidnapping of resources for cryptocurrency extraction and the denial of service (DoS)." The cryptojacking operation can quickly deplete the resources of the entire system and disrupt all applications in the cluster, " reported the cybersecurity firm.

Notably, the researchers discovered that Hildegard's malicious cryptocurrency mining operation consists of the non-consent mining of the Monero (XMR) cryptocurrency, via the XMRig miner. The cryptojacking or criptomonedas mining malicious exploit is a form of third party resources covertly and unauthorized to undermine cryptographic currencies; This type of threat can affect not only mobile devices and computers but also web browsers and even network servers.

The mining process detected by the members of Palo Alto Networks already carried, until the moment the researchers disseminated the information, a hash power or processing rate (hash rate) of about 25.05 KH, and an address associated with the process He had already accumulated about 11 XMR, equivalent to about 1,500 USD, approximately.

Despite all the above, the cybersecurity experts at Unit 42 considered that this campaign with the Hildegard malware is just beginning, given the indications that it is still in development. The researchers came to that conclusion after noting that much of Hildegard's infrastructure has barely been online for a month, and that, like its codebase, it is apparently incomplete.

Last month, the Taiwanese company QNAP Systems warned about a malware campaign targeting its devices, which uses a new malware, called Dovecat, which is capable of installing Bitcoin (BTC) miners without the consent of the owners of the devices. equipment. This new threat has among its targets an attack on its line of storage devices connected to the network (QNAP NAS), and the company's alert was issued after receiving reports from users affected by this malicious software.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …