CyberWire Daily - New Dero cryptojacking operation concentrates on locating Kubernetes. [Research Saturday]
Episode Date: April 15, 2023Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The resear...ch defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations." CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet. The research can be found here: CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
You know, we're always looking for, you know, the adversary's view of, you know, software
supply chains, and we're seeing Kubernetes as a particularly interesting threat surface
that people like to take advantage of. That's Scott Fanning. He's Senior Director of Product Management
and Cloud Security at CrowdStrike. We're discussing their research on the first-ever
Dero cryptojacking operation targeting Kubernetes infrastructure.
For folks who aren't working in Kubernetes day-to-day,
can you give us some insights as to what makes it attractive for these sorts of threat actors?
Sure. I mean, think of Kubernetes as an orchestration plane for containers.
They allow a container, which is part of an application,
to be scaled across the cloud.
And if the needs of your application increase,
it's smart enough to add more capability,
more compute, more parts of the app.
And then if it requires to go down, it reduces, it constricts,
it keeps costs down.
And so Kubernetes' job is to orchestrate the scaling of applications.
And what makes it attractive is that it's kind of the control hub
of all these different applications.
And if you can get into that, you can start dictating
what kind of applications you may want to install,
as well as maybe how they behave.
Well, let's dig in here with this campaign that's
targeting Dero. That's a type of cryptocurrency, yes? Yes. It's an interesting cryptocurrency.
It's competing against Monero as well. It's more efficient, so you can generate coin for less power, less time. So it makes it more attractive.
You know, the crypto currency market has taken a bit of a dive of late. So any kind of efficiencies
you can get is seen as better return on investment. And so Darrow is seen as a nice way to
monetize, being energy efficient and time efficient as well.
I see. Well, let's walk through this campaign together then. I mean,
how does an organization find themselves falling victim to this?
So this usually starts off with a very basic premise of having unauthenticated
APIs to your Kubernetes cluster.
By default now, when you deploy Kubernetes,
you have to put in authentication.
But that's a recent advancement.
So there are many Kubernetes clusters out there that are open to be used from the outside.
And what the adversary does is look for those Kubernetes clusters.
And once it finds one, it decides to take advantage of it.
And how does it do that? What exactly is it doing here?
So what it'll do is that it will first do a reconnaissance
to find which ports are open on the Kubernetes cluster.
It's misconfigured.
And then what it'll do is that it'll ask it
to deploy what's called a pod on a node
leveraging the Kubernetes cluster.
This pod is just a small application.
And what's novel about this is it uses common DevOps
and Kubernetes terms to kind of masquerade itself.
So if you're looking really quickly
at the directory of processes
that are running in your application,
you might not see it.
But because it kind of masquerades itself
as a common term,
it's very easy.
And so it uses the word proxy API,
which sounds very DevOps-y,
and oh, everyone uses a proxy.
So it kind of masquerades itself and then deploys using DevOps techniques
at CryptoMiner, but mine's Dero.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral. Connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Would someone who's running this Kubernetes instance
be likely to detect this?
Would they see a sudden spike in their usage?
So it's interesting.
It does a very clever job, like I said,
using kind of leveraging terms.
Like there is a default kind of binary
in a Kubernetes cluster called pause.
And it's kind of empty by default.
And actually, the adversary takes advantage of that
and calls their miner pause.
So it looks just like you would normally.
And then you won't see as much on the CPU front
because it's kind of masqueraded inside the Kubernetes cluster as a pod.
And it's very efficient, so it doesn't really make as much noise either.
So you have to kind of understand what you're looking for.
At a quick glance, you might not see it,
but if you have the ability to monitor from a threat perspective with some technology,
then you can see it.
And Falcon Cloud Security can see it.
So that's why we have an actual detection for it.
You can actually see the capabilities.
Yeah.
Now, one of the things you pointed out in your research here was that
evidently there are some competing campaigns here.
There's a Monero campaign that's also trying to come at this the same way.
Yeah.
I mean, everyone looks for the best real estate,
and they don't have a problem sticking it to their friends either.
And those CPU cycles are precious.
So anything they can do to get rid of a competitor
and give themselves more breathing room to do what they have to do,
the adversary has no shame in doing it.
So this Monero campaign, they will come in using the same sorts of methods,
and if they see the Darrow campaign, they boot them out and install their own stuff?
Yes, and they'll do it rudely.
They'll just wipe it out,
and the Monero campaign will infect the host OS,
so they'll go even a level deeper.
So it's a little noisier,
but needless to say,
they want as much real estate for themselves to do their job.
Right. No honor among thieves.
None.
Well, let's talk about ways to stop this.
I mean, how do organizations best protect themselves?
Oh, that's a great question.
I mean, one thing you need to do is just make sure that your APIs through your Kubernetes cluster have authentication turned on. A very
basic thing. It tends not to be on
the default because it adds friction.
Managing authentication in Kubernetes
can be a little tricky.
The incentives to do it
sometimes can be low, but that's a very
basic thing to do, but it certainly
keeps them out if you
do a good job of it.
That's the primary way to keep them out. The second thing is just make sure you do a good job of it. That's the primary way to keep them out.
The second thing is just make sure you have a good security monitoring system in place.
So if you have something that has a Kubernetes protection
capability so you can monitor what's happening with your Kubernetes control
plane as well as what's happening with your pods and your
clusters, then that's definitely another way to do it.
Keeping ever vigilant is always helpful.
And of course, at least privilege principles.
That's common against anything.
Make sure that people have the need to know and the right to use
and keep those privileges down.
Is that a matter of looking at behavioral things?
You were saying keeping an eye on these, Is that a matter of looking at behavioral things?
You were saying keeping an eye on these, just looking for activity that is outside of the band of what is expected?
Yeah, I mean, if you can see, it's a combination of understanding how the process trees within the application are formed, but it's also the combination of those processes and how they're invoked.
are formed, but it's also the combination of those processes and how they're invoked.
And that's where having the ability to not just monitor the activity of your Kubernetes environment, but also being able to create detections around what combinations of these
processes, when sewed together, represent an indicator of an attack.
And that's kind of where CrowdStrike comes in.
Do you all have any idea who might be behind this
or what part of the world they're coming from?
You know, it's pretty novel.
Attributions are always a little tricky in these cases,
especially with this particular type of Bitcoin technology.
Unlike Monero, which uses your standard wallets and proxies, this uses a community wallet.
Very difficult to trace, so it's one of the reasons why
cyber criminals particularly enjoy its merits.
Our thanks to Scott Fanning from CrowdStrike for joining us. The research looks into the first ever Darrow cryptojacking operation targeting Kubernetes infrastructure.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin Thank you.