Computer hackers have been found to hijack misconfigured Kubernetes nodes, an integral part of the Microsoft Azure Cloud. This is one of the most important services offered by the company as they are part of complex services deployed by clients. The goal of the unknown hacking group is to install a cryptocurrency miner instance and thereby exploit the instances.
Kubernetes Nodes Targeted By Hackers: Microsoft Azure Cloud Clients Warned
Recently a lot of security incidents have been reported targeting Kubernetes nodes which are hosted on the Microsoft Azure cloud platform. And unlike the common method of exploiting vulnerabilities this time the hackers are looking for improper configuration. This allows the remote attackers to gain access to the containers.
In the detected campaign the detected campaigns aim for Kuberflow which is a popular open-source project which helps users govern TensorFlow jobs on their Kubernetes installation. Over the years this has become one of the dominant frameworks for the launching of machine learning tasks on the Microsoft Azure cloud platform.
These cryptocurrency miners are intended to run hardware intensive tasks which will take advantage of the available computing power. This is done by launching a script or program on the cloud platform which will download and report the running of the tasks. For every completed one the hacker controllers will receive cryptocurrency assets directly in their digital wallets. The reason why the Kubernetes nodes are targeted is because they are very powerful and include capable GPUs which can provide the required computing power.
Also read 2.3 Tbps DDoS Attack Hit AWS, and It’s the Largest One So Far
The mechanism of intrusion is though the misconfigured Kuberflow dashboard which has lead to the exposure of the UI functionality. By default the Istio Ingress gateway is accessible only internally. However the Kubernetes owners in some configurations have modified the settings so that the service can be accessed from the wider Internet. When this is done prospective hackers can access this internal resource and as a result the containers. Possible actions even include the launching of new containers that contain the cryptocurrency code.
Misconfigured cloud instances are one of the core reasons for hacker-controlled intrusions. In the casse of the Microsoft Azure cloud there are several security tips that can be followed:
- Enable access and authentication controls to the deployed applications
- Monitor public-facing endpoints for suspicious behavior
- Monitor the runtime environment which includes all containers, images and running processes
- Deploy only trusted imaes and scan them for any potential vulnerabilities. Use the Azure policy controls to restrict possible insecure connections and scenarios