Exposed Kubernetes API servers and risky misconfigurations enable attackers to access secrets and take control over clusters, with campaigns actively mining cryptocurrency and backdoors deployed across exposed environments. The piece analyzes how anonymous access, exposed kubectl proxy, and broad SDLC secrets exposure create large-scale risk and offers mitigations like RBAC, admission controls, and regular auditing. #Lchaia #xmrig #ssww #Dero #TeamTNT #Harbor #Elasticsearch #Kubernetes
Keypoints
- Over 350 Kubernetes clusters belonging to various organizations were found exposed and largely unprotected.
- Approximately 60% of these exposed clusters were breached with active campaigns deploying malware, cryptominers, or backdoors.
- The two main misconfigurations are anonymous access with privileges and running kubectl proxy in a way that opens the cluster to the internet.
- Attackers locate exposed clusters using search engines (Shodan, Censys, Zoomeye) and network scanners (masscan, Zgrab) across large IP ranges.
- Exposed clusters store secrets tied to SDLC components (GitHub, Jenkins, registries, cloud credentials), enabling further compromise and potential supply-chain risk.
- Active cryptominer campaigns (Lchaia/xmrig, ssww, Dero) have been observed, often using daemonsets to infect many nodes and hide via TOR or other means.
- Mitigations emphasize RBAC, admission controls, targeted auditing, and restricting kubectl proxy exposure; the Aqua platform and automated testing tools can help enforce secure configurations.
MITRE Techniques
- [T1046] Network Service Discovery β Querying the Kubernetes API to enumerate pods, nodes, configmaps, and secrets. Quote: ββ¦the following commands can yield insightful information: /api/v1/pods, /api/v1/nodes, /api/v1/configmaps, /api/v1/secrets.β
- [T1552.001] Credentials in Files β Secrets stored in the Kubernetes API and etcd can be accessed when the API server is exposed. Quote: βThe API server is used to access the Kubernetes secrets, thus open access enables an attacker to take full control over the cluster.β
- [T1190] Exploit Public-Facing Application β Misconfigured exposure (anonymous access and kubectl proxy exposed to the internet) enables adversaries to reach the API server. Quote: βthe proxy on your workstation will now listen and forward authorized and authenticated requests to the API server from any host that has HTTP access to the workstation.β
- [T1496] Resource Hijacking β Cryptomining campaigns leverage Kubernetes to deploy miners across nodes (e.g., Lchaia/xmrig) and mine cryptocurrency. Quote: βCurrently, there are 3 main running campaigns aimed at mine cryptocurrency.β
- [T1552.004] Credentials in Cloud Service Accounts β Attackers collect cloud provider tokens (AWS, Azure, GCP) from exposed clusters to access cloud resources. Quote: βTeamTNT is searching for and collecting cloud service providers tokens (AWS, Azure, GCP etc).β
Indicators of Compromise
- [IP] 169.254.169.254 β internal cloud metadata service often queried to gain credentials. 169.254.169.254, 44.196.193.227
- [IP] 44.196.193.227 β Monero mining pool address used by a cryptominer campaign.
- [Domain] moneroocean.stream β mining pool domain referenced by the xmrig campaign.
- [URL] http://169.254.169.254/latest/meta-data/iam/security-credentials/* β metadata service endpoint used to fetch IAM credentials.
- [Container Image] lchaia/xmrig:latest, pauseyyf/pause:latest, and 2 more images β cryptominer and related campaign containers observed in Kubernetes environments.
Read more: https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster