Cloud Security, Network Security

Unsecured Kubernetes clusters subjected to Dero cryptojacking

The Docker website is displayed on a computer.

Misconfigured Kubernetes clusters with anonymous authentication have been targeted by threat actors to facilitate the deployment of malicious Docker Hub-hosted images to eventually enable Dero cryptocurrency mining as part of an ongoing cryptojacking campaign, reports The Hacker News.

Injected into the malicious images was the DERO miner dubbed "pause" aimed at spoofing the legitimate "pause" container, with the miner executed across all cluster nodes via the "k8s-device-plugin" and "pytorch-container" DaemonSets, according to a report from Wiz Security.

Aside from the Docker images, attackers have also utilized a dropper shell script meant to deliver the GMiner payload while ending all other miner processes.

"[The threat actors] registered domains with innocent-looking names to avoid raising suspicion and to better blend in with legitimate web traffic, while masking communication with otherwise well-known mining pools. These combined tactics demonstrate the attacker's ongoing efforts to adapt their methods and stay one step ahead of defenders," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.