After becoming a scourge inside browsers, on desktops, and on servers, cryptocurrency-mining malware is now invading the cloud, and it appears to be quite successful.

Several reports during the past month suggest malware authors are now actively looking to gain access to Docker and Kubernetes systems, two types of applications that are the basic building blocks of many of today’s cloud computing services.

The role of these two tools is to help developers roll out containerized/virtualized apps or even entire server setups whenever a company’s infrastructure needs more processing power to handle traffic spikes or extra computing tasks.

As such, if a hacker manages to gain access to these systems, they not only have the keys to a company’s entire kingdom but also access to vast computational power.

And based on recent reports, it appears that a vast majority of these recent hacks of cloud infrastructure are now focusing on using this enormous computational power to mine cryptocurrency for the attackers.

Attacks on cloud systems amped up with the new year

The first such attacks targeting Kubernets and Docker instances were detected at the start of the year by Sysdig researchers. Exposers observed attacks against honeypot servers where miscreants would take over a Kubernetes instance and attempt to deploy Docker containers inside which they tried to mine Monero.

Similar honeypot logs were later reported by experts from Aqua Security, who reported attacks against lone Docker instances, during which hackers also tried to mine Monero.

Of course, we cannot forget about the Tesla Motors incident when RedLock security experts found a compromised Tesla-owned Kubernetes cluster that was being used to mine Monero for attackers. Tesla said that hackers didn’t take anything from its servers, and were solely focused on cryptocurrency mining.

Some attacks happening because of a known Kubernetes issue

In most cases, attacks happen because administrators use weak or easy-to-brute-force passwords that give attackers a foothold on compromised machines.

But it’s not always so. For example, a recent report from Alexander Urcioli, Senior Security Engineer at Handy HQ, explains that some of these attacks also occur because of Kubernetes’ complicated configuration options.

While investigating a compromise of a coworker’s Kubernetes instance, Urcioli discovered that attackers ran commands on [Kubernetes] instances without authenticating, something that should not have been possible.

He tracked the behavior to a Kubernetes config that would allow an unauthenticated user to send API commands to a Kubernetes kubelet. If the kubelet was exposed online, hackers only had to query the endpoint to inject the entire cluster with miners.

« If your users have network access to your nodes, then the kubelet API is a full featured unauthenticated API backdoor to your cluster, » said Urcioli, also pointing out that users had reported this authentication loophole issue way back in 2014 and 2015.

Attacks ongoing. Part of a bigger trend!

And attacks aren’t stopping. Just today, security researcher Robbie Wiggins spotted a cluster of 48 nodes where two hackers were fighting over server resources.

All in all, these attacks are just part of a bigger picture that started to take shape last year when ransomware operations slowed down, and crooks migrated towards cryptocurrency mining.

Past campaigns targeted almost any known type of technology (databases, browsers, CMSs, CRMs, etc.), and it was to be expected that at one point or another, hackers would look toward the cloud for running hidden cryptocurrency mining scripts.