Misconfigured Kubernetes clusters with anonymous authentication have been targeted by threat actors to facilitate the deployment of malicious Docker Hub-hosted images to eventually enable Dero cryptocurrency mining as part of an ongoing cryptojacking campaign, reports The Hacker News.
Injected into the malicious images was the DERO miner dubbed "pause" aimed at spoofing the legitimate "pause" container, with the miner executed across all cluster nodes via the "k8s-device-plugin" and "pytorch-container" DaemonSets, according to a report from Wiz Security.
Aside from the Docker images, attackers have also utilized a dropper shell script meant to deliver the GMiner payload while ending all other miner processes.
"[The threat actors] registered domains with innocent-looking names to avoid raising suspicion and to better blend in with legitimate web traffic, while masking communication with otherwise well-known mining pools. These combined tactics demonstrate the attacker's ongoing efforts to adapt their methods and stay one step ahead of defenders," said researchers.
