Cyber security researchers have newly discovered a cyber attack and warned that unauthenticated attackers are targeting the Kubernetes clusters to deploy crypto miners.
Kubernetes is an open-source repository platform for automatizing computer application deployment, scaling and management.
Kubernetes cluster is a set of nodes that permits repositories to run over multiple machines and environments. This application was originally made by Google and now it is maintained by the Cloud Native Computing Foundation.
Attackers used Argo Workflow in Kubernetes Environment:
Attackers used the misconfigured Argo Workflows engine as an entry point into the Kubernetes environment and deployed malicious containers mining Ethereum and Monero cryptocurrency.
Argo Workflows is an open-source application that determines an arrangement of tasks, fastening up machine learning or data processing on Kubernetes clusters application.
Workflow in the Argo is defined by utilizing a YAML file that directs the type of work to be carried out. Because Argo keeps a massive number of users connected, it becomes a potential point for the attackers to hack.
If permissions are misconfigured in the Argo workflow engine, the attacker can submit a new workflow from the dashboard with malicious code. This allows the attackers to run the malicious code on Kubernetes targets, as well as crypto mining containers.
Discovery of Vulnerability in Kubernetes Clusters:
Microsoft first discovered and was already alerted to the continuing series of attacks on Kubernetes clusters when cybersecurity researchers noticed an unexpected increase in TensorFlow machine learning pod deployments.
As the burst of deployment on the different clusters are happening at the same time which indicates that the attackers in advance scanned all those clusters and selected a list of potential targets that were later attacked at the identical time.
According to the recent report released by the cybersecurity firm, Intezer, the attack is already used in the wild and still running on an exposed cluster. They discovered a number of potentially vulnerable containers that are especially utilized by the organizations from technology, logistics and financial sectors.
Risk of Vulnerability in Argo Workflow nodes used by Kubernetes Clusters:
Cloud Native Computing Foundation released a report in 2020 stating that there is a sharp hike of its respondents utilizing Kubernetes when compared to previous year.
As Microsoft and Intezer cybersecurity researchers warned that there are many unprotected Argo Workflows nodes, there is a possible compromise of the system and devices of Kubernetes users as it can be a source of exposing sensitive information.
These unprotected instances of Argo Workflow are operated by different organizations in several sectors including technology, logistics, finance, etc. So, these vulnerable instances will be an entry point for attackers to steal the sensitive information of the organizations such as code, credentials, private container image names, etc.
It is also observed that in several instances, permissions are misconfigured that permit any visiting user to deploy workflows.
Mitigations for the exposed Argo Workflow Instances:
Cyber security experts from Intezer suggested checking whether the instances are misconfigured, access the Argo Workflow dashboard from any unauthenticated incognito browser outside of the corporate network
Another way of checking is to query the API for the instance and verify the status code. If the HTTP status code is “401 Unauthorized”, it indicates the instance is correctly configured for unauthenticated users. If the status code is “200 Success”, indicates the instance is misconfigured as the unauthenticated user is able to access it.
Also, cyber security experts recommended to follow and adopt the principle of least privilege (PoLP) methodology and refer to the application documentation for strengthening the security.
If a user has a suspicion that the Argo instance is misconfigured and vulnerable on the internet, keep an eye and inspect the log records and timeline of the workflow. It could be a crypto miner controlling a cluster if the workflow is opened for an excessive period of time.
The product owner, Cloud Native Computing Foundation also released a document containing how to protect the cluster from authenticated users and provides mitigations for the security. Read more about it – Securing a Cluster.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.