Kubeflow Crypto Attacks: What They Are And How To Avoid Them

What Is a Kubeflow Crypto Attack?

Many people have asked us what is a Kubeflow crypto attack and its implications. In this article, we'll take an in-depth look at the whole picture.

Organizations are increasingly turning to Kubernetes as part of their digital transformations. An open-source platform, Kubernetes helps companies move past the traditional deployment era in which organizations deployed applications on physical servers and ran into resource allocation issues as a result.

---

Scam Detectors Most Trusted Websites in Online Security

1. Guard.io (100): Surf the web safely. Clean up your browser, remove maliscious extensions and check for privacy violations.
2. Incogni.com (100): Delete your personal data from the internet and protect against scams and identity theft.
3. ExpressVPN (100) Stay secure and anonymous online - Best VPN Out There

---

It does this by helping these agencies manage what are known as containers, software units containing all the code and its dependencies necessary to run an app.

Containers share the machine's system OS kernel, making this technology lightweight. But it's hard to manage these containers when organizations begin running tens if not hundreds of them within their environments. Using Kubernetes, administrators can simplify the process and distribute the container network traffic to ensure that an app remains available.

They can also use Kubernetes to set the desired state for their deployed containers and replace or kill containers that don't respond to their health checks.

There's just one problem: organizations aren't always configuring Kubernetes properly. In the fall 2020 edition of its “State of Container and Kubernetes Security” report, for instance, StackRox learned that 90% of respondents had experienced a security incident in their container and Kubernetes environments over the last 12 months.

Two-thirds of those individuals told StackRox that their organizations had suffered a misconfiguration incident, followed by those who needed to remediate a significant vulnerability, who detected a runtime incident and failed an audit at 22%, 17%, and 16%, respectively. Nearly half (44%) of respondents to the survey decided to delay moving an app into production due to these and other security concerns.

Scammers are well aware of organizations' struggles involving Kubernetes' secure configurations. That's why they're always on the lookout for misconfigurations that they can exploit for nefarious ends. This blog post will explore one such scam attack that leveraged a Kubernetes misconfiguration to deploy crypto-mining malware.

Inside the Cryptojacking Attack

In June 2020, Microsoft discovered that digital attackers had affected tens of Kubernetes clusters, or sets of node machines for running containerized apps, by targeting Kubeflow. Built on top of Kubernetes, Kubeflow enables administrators to add machine learning (ML) toolkits to workflows. They can then deploy the workflows to their cloud, on-premises, and other environments for experimentation and/or for use in production.

How the Attack Worked

According to Microsoft, the misconfiguration amounted to the fact that Kubeflow exposes its UI functionality through a dashboard within the cluster. This exposure is attributed explicitly to Istio, an ingress gateway that is accessible internally by default. However, Microsoft found that some users were placing themselves at risk by modifying Istio to Load-Balancer.

While doing so opens up a direct way for users to access the Kubeflow dashboard, this action exposes Istio and the Kubeflow dashboard to the web. Anyone can use that insecure access to Kubeflow to perform operations such as deploying malicious containers in the cluster.

Details into the Attack Chain

Microsoft revealed that it detected the attack in April when it came across a suspect image from a public repository. The tech giant's researchers took a look at the photo and found that it ran the XMRig cryptocurrency miner. They also found that the image had infiltrated numerous clusters, with most of them running Kubeflow.

With access to Kubeflow, an attacker can deploy a backdoor container in the cluster. They can do this by choosing to run an illegitimate container of their creation using a Jupyter notebook server. Alternatively, they can deploy a malicious container from a legitimate Jupyter notebook by running Python code.

Either way, this malicious container gave the attackers what they needed to achieve persistence within the cluster. They then attempted to move laterally and deploy the container using the mounted service account. Finally, they concluded their attack by dropping their cryptocurrency miner.

How to Check if a Cluster Is Affected

Organizations can follow Microsoft's advice to check if a cluster is affected by verifying that the malicious container isn't deployed in their cluster. The following command will do the trick:

kubectl get pods –all-namespaces -o jsonpath=”{.items[*].spec.containers[*].image}”  | grep -i ddsfdfsaadfs 

Administrators also need to ensure that the Kubeflow dashboard is not exposed to the Internet. They can verify that Istio is not a load balancer with a public IP. Presented below is a command that will do just that:

kubectl get service istio-ingress gateway -n istio-system

How to Safely Deploy Kubeflow

When it comes to safely deploy Kubeflow, Microsoft recommends that organizations disallow the deployment of untrusted images and scan their images for vulnerabilities. Organizations should not end their Kubernetes security efforts there, either. As StackRox explains in a blog post:

• “While performing image scans to check for known vulnerabilities in operating systems and language packages remains a cornerstone of image security, it is only part of a more extensive set of security initiatives you need to employ to protect your environments. Understanding the risks at each stage of a container's lifecycle will inform decisions around image infrastructure and handling to enhance and maintain your organization's security posture.”

For more Kubernetes security tips, check out Kubernetes' documentation here.

 

Kubeflow Crypto Attack: How To Report a Criminal

Let your family and online friends know about the Kubeflow crypto attack by sharing this article on social media. You can officially report criminal activity to the Federal Trade Commission (FTC) using this link:

Report To The FTC Here