加密货币勒索活动瞄准配置错误的 Kubernetes 集群

Cybersecurity researchers have warned of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency.

网络安全研究人员已经警告称，针对配置错误的Kubernetes集群进行加密货币挖矿活动的攻击持续进行。

Cloud security firm Wiz, which shed light on the activity, said it's an updated variant of a financially motivated operation that was first documented by CrowdStrike in March 2023.

云安全公司Wiz揭示了这一活动，称这是一个更新的金融动机操作的变种，CrowdStrike于2023年3月首次记录了这一活动。

"In this incident, the threat actor abused anonymous access to an Internet-facing cluster to launch malicious container images hosted at Docker Hub, some of which have more than 10,000 pulls," Wiz researchers Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski said. "These docker images contain a UPX-packed DERO miner named 'pause.'"

Wiz的研究人员Avigayil Mechtinger、Shay Berkovich和Gili Tikochinski表示：“在这次事件中，威胁行为者利用对面向互联网的集群的匿名访问，启动托管在Docker Hub上的恶意容器映像，其中一些已经被下载超过1万次。这些docker映像包含一个名为'pause'的UPX打包DERO矿工。”

Initial access is accomplished by targeting externally accessible Kubernetes API servers with anonymous authentication enabled to deliver the miner payloads.

通过针对启用了匿名认证的外部可访问的Kubernetes API服务器实现初始访问，以传送矿工负载。

Unlike the 2023 version that deployed a Kubernetes DaemonSet named "proxy-api," the latest flavor makes use of seemingly benign DaemonSets called "k8s-device-plugin" and "pytorch-container" to ultimately run the miner on all nodes of the cluster.

与2023年部署名为“proxy-api”的Kubernetes DaemonSet的版本不同，最新版本使用看似无害的DaemonSets，称为“k8s-device-plugin”和“pytorch-container”，最终在集群的所有节点上运行矿工。

In addition, the idea behind naming the container "pause" is an attempt to pass off as the actual "pause" container that's used to bootstrap a pod and enforce network isolation.

此外，将容器命名为“pause”的想法是为了试图伪装成用于引导pod并执行网络隔离的实际“pause”容器。

The cryptocurrency miner is an open-source binary written in Go that has been modified to hard-code the wallet address and custom Dero mining pool URLs. It's also obfuscated using the open-source UPX packer to resist analysis.

这款加密货币矿工是用Go语言编写的开源二进制文件，已经修改以将钱包地址和自定义DERO挖矿池URL硬编码。同时，它还使用开源UPX打包工具进行混淆，以抵抗分析。

The main idea is that by embedding the mining configuration within the code, it makes it possible to run the miner without any command-line arguments that are typically monitored by security mechanisms.

主要思想是通过在代码中嵌入挖矿配置，可以在没有被安全机制监视的命令行参数的情况下运行矿工。

Wiz said it identified additional tools developed by the threat actor, including a Windows sample of a UPX-packed Dero miner as well as a dropper shell script that's designed to terminate competing miner processes on an infected host and drop GMiner from GitHub.

Wiz表示，他们发现了威胁行为者开发的其他工具，包括一个UPX打包的Dero矿工的Windows样本以及一个旨在终止被感染主机上的竞争性矿工进程并从GitHub下载GMiner的dropper shell脚本。

"[The attacker] registered domains with innocent-looking names to avoid raising suspicion and to better blend in with legitimate web traffic, while masking communication with otherwise well-known mining pools," the researchers said.

研究人员表示：“攻击者注册了看起来无辜的域名，以避免引起怀疑，并更好地融入合法的网络流量，同时通过与众所周知的挖矿池掩盖通信。”

"These combined tactics demonstrate the attacker's ongoing efforts to adapt their methods and stay one step ahead of defenders."

“这些结合的策略表明攻击者正在努力调整他们的方法，并保持领先于防御者。”

参考资料

[1]https://thehackernews.com/2024/06/cryptojacking-campaign-targets.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：加密货币勒索活动瞄准配置错误的 Kubernetes 集群