Kubernetes Cryptojacking
In this video I take a look at a cryptojacking attack against a Kubernetes honeypot. The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.
The analyzed capture files can be downloaded from
https://share.netresec.com/s/S5ZG2cDKB9AbqwS?path=%2Fk3s-443
This PCAP dataset was created by Noah Spahn, Nils Hanke, Thorsten Holz, Chris Kruegel, and Giovanni Vigna as part of their research for their Container Orchestration Honeypot: Observing Attacks in the Wild paper.
The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node. This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.
IOC List
- attacker IP: 102.165.16.27 (PIA VPN)
- kind: DeamonSet
- name: api-proxy
- namespace: kube-system
- image: dorjik/xmrig
- mining pool: gulf.moneroocean.stream:1012
- annotation: kubectl.kubernetes.io/last-applied-configuration
- Monero wallet address: 41pdpXWNMe6NvuDASWXn6ZMdPk4N6amucCHHstNcw2y8caJNdgN4kNeW3QFfc3amCiJ9x6dh8pLboR6minjYZpgk1szkeGg
Posted by Erik Hjelmvik on Tuesday, 07 May 2024 07:50:00 (UTC/GMT)
Tags: #video #CapLoader #PolarProxy
