Misconfigured nodes allowed hacker to mine Monero (XMR)

In a June 10 report, Microsoft revealed details of the discovery of vulnerabilities in the Azure computer network. The vulnerability allows an attacker to use the Azure network to mine Monero (XMR) through the nodes of a learning machine called Kubeflow. This affects 10 nodes of a Kubeflow learning machine that is part of the Azure network. The report was released by Yossi Weizman, a security research software engineer at the Azure Security Center (ASC).

Kubeflow is a learning machine toolkit for the Kubernetes platform. Microsoft claims that Kubeflow has gained popularity and because of its computational power, it has become a target for cyber attacks:

Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.

The Azure Security Center was able to determine that the access vector of the attack was the Kubeflow framework. The ASC discovered a suspicious image in a data repository within clusters of the learning machine.

This way attackers can access Kubeflow’s dashboard and can deploy a malicious backdoor container. Using this method, attackers can upload a malicious image like the one shown above to the Jupyter notebook server to mine Monero. The Azure Security Center made a number of recommendations to prevent these attacks and invited its users to review the security aspects when using Kubeflow.

As reported by CNF, Monero is one of the preferred cryptocurrencies for these attacks. Due to its characteristics the identity of the attackers is protected. In May, a series of reports from recognized scientific institutions, such as the National Supercomputing Service of the United Kingdom, revealed that attackers used the computer power of their supercomputers to mine Monero. Among the countries affected were the United Kingdom, Germany, Switzerland and Spain.

According to ASC, the framework of the Kubeflow learning machine is made up of several services including: framework for training models, Katib and Jupyter servers, among others. Users of the virtual machine access these services through an internal dashboard from the Kubeflow node. The configuration of the dashboard can be changed for the user’s convenience, as was the case with this attack according to the Azure Security Center. However, this configuration allowed the nodes to be exposed to the internet and left them susceptible to attacks:

Users should use port-forward to access the dashboard (which tunnels the traffic via the Kubernetes API server). (…) without this action, accessing to the dashboard requires tunneling through the Kubernetes API server and isn’t direct. By exposing the Service to the Internet, users can access to the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.

Author : Reynaldo