Security researchers at Intezer have warned of a new series of attacks, where threat actors target Kubernetes (K8s) clusters via misconfigured Argo Workflows instances to deploy cryptomining software.
Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. The researchers said they discovered a number of unprotected instances, operated by companies in several industries including technology, finance and logistics. In some cases, attackers abused Argo Workflows instances with misconfigured permissions to run unauthorized code on the target’s environment.
Argo uses YAML files to define the type of work to be performed, with the workflows being executed either from a template or submitted directly using the Argo user interface. On instances with misconfigured permissions attackers could access an open Argo dashboard and submit their own workflow. In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner, Intezer said.
The container uses XMRig to mine for Monero and is being abused by threat actors to run crypto-jacking operations. It can be easily abused by threat actors of any skill level, as all that is required is to change the address of who the mined cryptocurrency would be deposited to.
“In Docker Hub there are still a number of options for Monero mining that attackers can use. With a simple search it shows that there are at least 45 other containers with millions of downloads,” Intezer said.
Users could check if an instance has been misconfigured by accessing the Argo Workflows dashboard from an unauthenticated incognito browser outside their corporate environment. Another option is to query the API of the instance and check the status code.
“Make a HTTP GET request to [your.instance:port]/api/v1/info. A returned HTTP status code of “401 Unauthorized” while being an unauthenticated user will indicate a correctly configured instance, whereas a successful status code of “200 Success” could indicate that an unauthorized user is able to access the instance,” the researchers explained.
“If you suspect that your Argo instance has been misconfigured and exposed to the internet with excessive permissions, check for any suspicious activity in the logs and in the workflow timeline. Make sure that there are no workflows that have been running for an excessive amount of time. This might be an indicator of a cryptominer running on your cluster.”
