Palo Alto Networks unearthed a new cyberattack infrastructure which is being used to target Kubernetes clusters as part of a new attack campaign for cryptojacking.
Palo Alto Networks has discovered and profiled a new malicious campaign based on a malware strain that targets Kubernetes clusters. The new malware — dubbed Hildegard — covertly compromises Kubernetes environments and connected cloud resources to carry out cryptojacking.
Security researchers at Unit 42, the Santa Clara-based company’s threat intelligence arm, discovered the sophisticated campaign, whose tactics, techniques, and procedures (TTP) indicate that TeamTNT is driving the efforts. This is the first time TeamTNT, best known for using a crypto mining worm to stealOpens a new window AWS credentials, is going after Kubernetes environmentsOpens a new window .
According to Unit 42 researchers Jay Chen, Aviv Sasson, and Ariel Zelivansky, while no significant attacks have been detected so far, this may just be a precursor to something sinister. “There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage. However, knowing this malware’s capabilities and target environments, we have good reason to believe that the group will soon launch a large-scale attack,†they warned in a blog postOpens a new window .
Hildegard Malware
Going by Unit 42’s research, Hildegard is stealthier than other TeamTNT malware for three reasons:
- It encrypts its malicious payload inside a binary to throw off automated static analysis
- It can be disguised as a legitimate Linux process by using a known Linux process name (bioset)
- It hides malicious processes using a library injection technique based on LD_PRELOAD
Hildegard scans for unsecured kubelets in the internal network, searches for containers in different nodes, and leverages two methods of establishing communication with the command and control (C2) server: tmate-based (a terminal sharing solution) reverse shell and through an Internet Relay Chat (IRC) channel.
The malware also performs a search for host credential files, queries metadata for cloud-specific credentials, and sends back identified credentials to the C2. These include cloud access keys, cloud access tokens, SSH key, Docker credentials, Kubernetes service tokens. Besides credentials, it also relays back the host OS, CPU, and memory information.
“This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2,†the researchers added.
Infrastructure for the malware is relatively new and has been active for a month. Palo Alto researchers said that the C2 domain borg[.]wtf was registered on Dec. 24, 2020, while the IRC server went online on Jan. 9, 2021.
See Also: Rapid7 Signals CloudSec Ambitions With Alcide Acquisition
The Campaign
The security researchers originally discovered the campaign when they found anonymous actors infiltrating a Kubernetes cluster through a misconfigured kubelet. A kubelet is a primary node agent that runs on each node to verify pod specification in the Kubernetes cluster.
The initial compromise is followed by lateral movement across containers to maximize infection in containers across the first node. The attackers first search for containers, execute code remotely, and establish a reverse shell by leveraging tmate. The focus then shifts to scanning the Kubernetes internal network to find more unsecured kubelets in other Kubernetes nodes. Thus, threat actors gain control of computing resources, which are ultimately used for cryptojacking.
Attacker, Malware Movement | Source: Palo Alto Networks
Cryptojacking is the process of illicit and unauthorized mining of cryptocurrency – Monero in this particular case – by using the victim’s compute resources without the victim’s knowledge. So far, TeamTNT has mined 11 XMR amounting to $1,500, using hacked Kubernetes resources.
A Kubernetes cluster, which runs on multiple hosts and has a batch of nodes for running various machine applications, has more compute resources than a single Docker engine that runs on a single host. And since crypto mining is a compute-intensive process, it explains why TeamTNT is now going after Kubernetes- profits.
“The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster,†added Palo Alto researchers. Bottom line, resources dedicated to running applications on physical or virtual machines may be hijacked and are essentially under a denial of service (DoS) attack.
Besides cryptojacking and the resultant disruption of normal operations, this technique can also enable data exfiltration from thousands of applications running in the clusters.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!