Table of Contents
Cybersecurity researchers have revealed a new & latest cryptocurrency mining campaign targeting Kubeflow deployments on Tuesday, and the cybersecurity experts believe it was a very well-calculated move by the hackers.
TensorFlow pods were deployed on Kubernetes clusters and were ready to run authentic TensorFlow images downloaded from the official Docker Hub account. These images, however, were set up to run rogue commands that mine cryptocurrencies. As of May 31, Microsoft reported a rise in deployments.
Open-source platform Kubeflow enables machine learning workflows to operate on Kubernetes, a service that orchestrates container workloads for managing and scalability among many machines.
In order to deploy, we utilized Kubeflow, whose dashboard provides access to the UI functionality. According to Microsoft, the attackers used the centralized dashboard to create a pipeline to execute TensorFlow images that perform cryptocurrency mining.
Microsoft’s Senior Security Research Engineer said:
“The burst of deployments on the various clusters was simultaneous. This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked at the same time.”
Microsoft Azure Security Center detected a similar attack last April in which backdoor containers being used for crypto-mining were deployed via Internet-exposed Kubeflow dashboards. Neither of the campaigns appears to be the work of the same threat actor, according to Weizman.
Two TensorFlow images were used in the attacks – tagged “latest” and “latest-GPU” – to run the malicious code. A clever design of TensorFlow images to avoid detection in machine learning workloads also uses TensorFlow containers.
Hackers use images to orchestrate the attack
The attackers can also use the images to perform GPU operations using CUDA, thus being able to benefit from the host as much as possible. Palo Alto Networks’ Unit 42 threat intelligence team recently released details about a specific virus that targets Kubernetes clusters through Windows containers called Siloscope. If possible, Kubeflow users should ensure that their centralized dashboard is secure. If required, users should require that the centralized dashboard be protected behind authentication barriers.
Kubernetes threat matrix published by Microsoft gives organizations a better understanding of the attack surface on containerized environments and identifies the weak points in their security platform at present.
In April, this company announced an ATT&CK for Containers threat matrix, which draws on the Kubernetes threat matrix to identify “risks associated with containers, including misconfigurations that often serve as entry points for attacks, and specific implementations in the wild.”