Security researchers are warning that threat actors are abusing Argo Workflows instances and deploying cryptocurrency miners on Kubernetes clusters. Intezer researchers discovered multiple Argo Workflows that were exposed in various industries, including technology, finance, and logistics.
Kubernetes is an open-source platform that simplifies the management of containerized apps and workloads. Argo Workflows is a web app that simplifies the execution of parallel jobs on Kubernetes for various types of tasks, such as data processing and machine learning.
“Attackers are already taking advantage of this vector as we detected operators dropping cryptominers using this method in the wild,” Intezer security researchers Ryan Robinson and Nicole Fishbein revealed in a report published earlier this week.
Threat actors can gain access to cluster environments through Argo dashboards and deploy their Monero mining containers. One of the miners researchers found was kannix/monero-miner that uses the XMRig CPU/GPU miner. While the original kannix/monero-mine app is no longer available on Docker, attackers can still get Monero mining done through a few similar containers.
The researchers expect that the attacks could be carrying out bigger campaigns because there are many Internet-exposed Argo Workflows instances lacking proper permissions.
Misconfigured Argo Workflows are the latest attack vectors that threaten Kubernetes clusters. Admins are advised to monitor their environments and configure authentication on their Argo Workflows dashboards to prevent exploitation.
In May 2018, Microsoft warned that crypto miners were targeting machine learning infrastructure in Kubernetes clusters. By abusing Kubeflow Pipelines attackers deployed machine learning pipelines that ran Ethminer and XMRig cryptocurrency miners.
