Research Saturday 4.15.23
Ep 277 | 4.15.23

New Dero cryptojacking operation concentrates on locating Kubernetes.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Scott Fanning: You know, we're always looking for, you know, the adversary's view of -- of, you know, software supply chains and -- and we're seeing Kubernetes as a particularly interesting threat surface that people like to take advantage of.

Dave Bittner: That's Scott Fanning. He's senior director of Product Management and Cloud Security at CrowdStrike. We're discussing their research on the first- ever Dero cryptojacking operation targeting Kubernetes infrastructure.

Dave Bittner: For folks who aren't working in Kubernetes day to day, can you give us some insights as to what makes it attractive for these sorts of threat actors?

Scott Fanning: Sure. I mean, you know, think of Kubernetes as an orchestration plane for containers. You know, they allow a container, which is an -- part of an application, to be scaled across the cloud. And if the needs of your application increase, it's smart enough to, you know, add more capability, more compute, more parts of the app. And then if it requires to go down, it reduces, it constricts, it keeps costs down. And so Kubernetes' job is to orchestrate the scaling of applications. And what makes it attractive is that it's kind of the control hub of all these different applications. And if you can get into that, you can start dictating what kind of applications you may want to install as well as maybe how they behave.

Dave Bittner: Well, let's dig in here with this campaign that's targeting Dero. That's a type of cryptocurrency, yes?

Scott Fanning: Yes. It's an interesting cryptocurrency. It's competing against Monero as well. It's more efficient, so you can generate coin for less power, less time, so it makes it more attractive. You know, the cryptocurrency market has taken a bit of a dive of late, so any kind of efficiencies you can get is seen as better return on investment. And so Dero is seen as a nice way to monetize, being energy efficient and time efficient as well.

Dave Bittner: I see. Well, let's walk through this campaign together then. I mean, how does an organization find themselves falling victim to this?

Scott Fanning: So this usually starts off with a very basic premise of having unauthenticated APIs to your Kubernetes cluster. You know, by default now, when you deploy Kubernetes, you have to put in authentication. But that's a recent advancement. So there are many Kubernetes clusters out there that are open to be used from the outside. And what the adversary does is look for those Kubernetes clusters. And once it finds one, it decides to take advantage of it.

Dave Bittner: And how does it do that? What exactly is it doing here?

Scott Fanning: So what it'll do is that it will first, it'll do a reconnaissance to find which, you know, ports are open on the Kubernetes cluster, it's misconfigured. And then what it'll do is that it will ask it to deploy a -- what's called a pod on a node, leveraging the Kubernetes cluster. This pod is just a small application. And what's novel about this is it uses common DevOps and Kubernetes terms to kind of massacre itself. So if you're looking really quickly at the directory of processes that are running in your application, you might not see it. But because it kind of masquerades itself as a common term, it's very easy. And so it uses the word proxy API, you know, which, you know, sounds very, you know, DevOps-y. And, oh, everyone uses a proxy. So it kind of masquerades itself and then, you know, deploys, using DevOps techniques, a crypto miner that mines Dero.

Dave Bittner: Would someone who's running this Kubernetes instance be likely to detect this? Would they see, you know, a sudden spike in their -- in their usage?

Scott Fanning: So it's interesting -- is that -- like, it does a very clever job, like I said, using kind of leveraging, you know, terms. Like, there is a default kind of binary in a Kubernetes cluster called pause, and it's kind of empty by default. And actually, the adversary takes advantage of that and calls their miner pause. So it looks just like you would normally. And then you won't see as much on the CPU front because it's kind of masqueraded inside the Kubernetes cluster as a pod. And so -- and it's very efficient, so it doesn't really make as much noise either. So you have to kind of understand, kind of, what you're looking for. At a quick glance, you might not see it. But if you have, you know, the ability to monitor from at a -- at a -- from a threat perspective with some technology, then you can -- you can see it, and Falcon cloud security can see it. So that's why we can -- we have an actual detection for it. You can actually see the capabilities.

Dave Bittner: Yeah. And one of the things you pointed out in your research here was that evidently, there are some competing campaigns here. There's a Monero campaign that's also trying to come at this the same way.

Scott Fanning: Yeah. I mean, you know, everyone -- everyone looks for the best real estate and they don't have a problem sticking it to their friends either. So, you know, and those CPU cycles are precious. So anything they can do to get rid of a competitor and give themselves more breathing room to do what they have to do, you know, the adversary has no shame in doing it.

Dave Bittner: So this Monero campaign, they will come in using the same sorts of methods and if they see the Dero campaign, they boot them out and install their own stuff?

Scott Fanning: Yes. And they'll -- and they'll do it rudely. They'll -- they'll just wipe it out and they'll -- the Monero campaign will infect the host OS. So they'll go even a level deeper. So it's a little noisier. But, you know, needless to say, they want as much real estate for themselves to do their job.

Dave Bittner: Right. No honor among thieves.

Scott Fanning: None.

[ Laughter ]

Dave Bittner: Well, let's talk about ways to stop this. I mean, how do organizations best protect themselves?

Scott Fanning: That's -- that's -- that's a great question. One thing you need to do is just make sure that your APIs to your Kubernetes cluster have authentication turned on. Very basic thing. It tends not to be on the default because it adds friction. Managing authentication in Kubernetes can be a little tricky. So the incentives to do it sometimes can be low. But that's a very basic thing to do. But it certainly, you know, keeps them out if you do a good job of it. That's -- that's the primary way to keep them out. You know, the second thing is just make sure you have a good, you know, security monitoring system in place. You know, so, you know, if you have something that has a Kubernetes protection capability so you can monitor what's happening with your Kubernetes control plane, as well as what's happening with your, you know, your pods and your -- and your clusters, then, you know, that's definitely another way to do it. You know, keep being ever vigilant is always helpful. And of course, at least privilege principles, you know. That's common against any of them. Make sure that, you know, people have the need to know and the right to use. To keep those privileges down.

Dave Bittner: Is that a matter of looking at behavioral things? You were saying you're keeping an eye on these, just looking for activity that is outside of the band of what is expected.

Scott Fanning: Yeah. I mean, you know, if you can see -- it's a combination of understanding how the process trees within the application are formed, but it's also the combination of those processes and how they're invoked. And that's

where having the ability to not just monitor the activity of your Kubernetes environment but also being able to create detections around what combinations of these processes when sewed together represent an indicator of an attack. And that's kind of where, you know, CrowdStrike comes in.

Dave Bittner: Do you all have any idea who might be behind this or what part of the world they're coming from?

You know, it's pretty novel. It's -- we -- you know, attributions are always a little tricky in these cases, especially with this particular type of Bitcoin technology. Unlike Monero which uses your standard, you know, wallets and proxies, this uses like a community wallet. Very difficult to trace. So that's one of the reasons why, you know, cybercriminals particularly enjoy its merits.

Our thanks to Scott Fanning from CrowdStrike for joining us. The research looks into the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. We'll have a link in the show notes.

The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.