Cybersecurity experts at Microsoft have shared details about a new campaign that is attacking Kubeflow workloads to deploy malicious pods in Kubernetes clusters that are then used for mining cryptocurrency.
Kubeflow is a popular open source framework that’s used for running machine learning (ML) tasks in Kubernetes.
In a blog post, Yossi Weizman, Senior Security Research Engineer, Cloud Security Research, from Microsoft’s Israel Development Center, explains that they spotted the campaign late in May intrigued by a spike in deployments of TensorFlow pods in various Kubernetes clusters.
“The pods ran legitimate TensorFlow images, from the official Docker Hub account. Looking at the entrypoint of the pods, revealed that they aim to mine cryptocurrency,” writes Weizman.
Popular targets
In his analysis of the campaign, Weizman explains that the threat actors deployed the malicious clusters simultaneously, which tells him that the attackers had chalked up the list of potential targets in advance.
He further notes that the threat actors used Internet-exposed Kubeflow dashboards for their cryptomining tasks, which as Bleeping Computer explains should have restricted themselves to local access.
Inside the clusters, the threat actors deployed at least two separate pods, one running XMRig to mine for Monero using the CPU, and the other running Ethminer for mining Ethereum on the GPU.
Interestingly, this isn’t the first time malicious users have tried to exploit Kubeflow to repurpose the containers for mining cryptocurrency. Weizman’s team also unearthed a similar operation in June 2020. In last year’s campaign, the attackers abused exposed Kubeflow dashboards to deploy malicious containers via Jupyter notebooks.