Hackers Prepare Major Attack on Kubernetes Clusters for Hidden Monero Mining

Researchers at Unit 42 have uncovered new malware for covert Monero mining that spreads through containerized applications built on Kubernetes.

Read our analysis of Hildegard, new TeamTNT malware that targets #Kubernetes clusters and launches #cryptojacking operations. https://t.co/a6UAE1FcwF pic.twitter.com/aiJYlnK3v3

— Unit 42 (@Unit42_Intel) February 4, 2021

The attackers initially gained access to the system through a misconfigured kubelet that allowed anonymous access. Thereafter, the program began infecting service nodes, masking processes under the Linux name (bioset), injecting LD_PRELOAD-based libraries, and encrypting data inside the binary.

Hildegard scripts for covert mining have been circulating since the first half of January, but have remained largely inactive to date. Researchers therefore suspect that the hackers’ campaign is in the reconnaissance and deployment phase.

“We have good reason to believe that the group will soon launch a wide-scale attack. The malware could use computing resources in Kubernetes environments for covert mining and potentially exfiltrate sensitive data from thousands of applications in clusters,” Unit 42 noted.

The malware currently has a hashing power of about 25.05 kH/s, and the hackers’ wallet holds 11 XMR (over $1,600 at the time of writing).

Unit 42 team suspects that the authors of the scripts are the TeamTNT hackers, responsible for the botnet for covert Monero mining that infected millions of IP addresses, and the worm for stealing information about Amazon Web Services accounts.

Earlier, the Rocke hacker group attacked outdated cloud servers of Apache, Oracle and Redis using the Pro-Ocean malware for covert cryptocurrency mining.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news and polls.