Kubernetes clusters being hijacked to mine cryptocurrencies

综合技术 2018-12-07 阅读原文

Kubernetes, a container orchestration system used by many companies worldwide, is a type of service we have been monitoring lately as we see issues like CVE-2018-1002105 appear.

Another reason for our interest in this service is because we have seen increasing numbers being detected of Kubernetes being exposed to the internet.

But why is it a problem to expose Kubernetes to the internet?

As is typical with our findings, lots of companies are exposing their Kubernetes API with no authentication; inside the Kubernetes cluster, small containers called Pods are ran. Essentially a pod represents a process inside the cluster.

By having this exposed, an attacker can not only see what is running on the Pods but also execute commands on the Pods themselves.

The result is that we are seeing worldwide many Kubernetes clusters having their Pods hijacked to mine cryptocurrencies.

We have identified Kubernetes clusters exposed that belong to all sorts of industries and company sizes. From small startups to Fortune 500 companies.

So how do we identify insecure Kubernetes and those that have been hijacked?

By using ourHTTP Module we can create a custom HTTP request that checks the following path


If we get a response we can see all the information about the cluster.

Looking down we can see commands that were executed on the pods as seen on the following example:

If we take a look at the script "222.json" it already gives us an idea of what this might be:

This Pod has been hijacked to mine cryptocurrency.

We've seen other pods that have exposed API tokens to different services, also critical data and passwords.

How Can I Check if my Cluster has been exposed

We've imported the scans we did into https://app.binaryedge.io

We would like to thank Random Robbie for helping us research and identify these issues.

Hacker News

责编内容by:Hacker News阅读原文】。感谢您的支持!


Securing the ‘New Network’ Network security is a different undertaking with today’s new network In today’s business environment, containers and m...
使用Let’s Encrypt在Kubernetes上保护Istio的Ingress服务... 使用Let’s Encrypt在Kubernetes上保护Istio的Ingress services 这是我在kubernetes之上部署Istio系列文章中的第三篇,内容是关于我们试图通过Vamp Lamia实现的更多细...
Fission: Serverless Functions as a Service for Kub... Editor's note: Today’s post is by Soam Vasani, Software Engineer at Platform9 Systems, talking about a new open source...
4 Common Kubernetes-Monitoring Traps to Avoid Eric Johanson Eric is a software engineer at AppDynamics. Prior to AppDynamics, Eric held engineering and ...