Cybercriminals are taking advantage of misconfigured Argo Workflows instances to deploy cryptominers. The Argo Workflows is one of the most widely used workflow execution engines for Kubernetes.
What has happened?
A recent report from Intezer security researchers exposed a new attack targeting misconfigured Argo Workflows and leveraging the resources for financial gains. Researchers have discovered some nodes being infected as a result of this attack.
- Attackers scan the internet to gain access to clusters via exposed Argo dashboards and eventually deploy their own dangerous workflows, along with Monero miner containers.
- Some of these containers, such as kannix/monero-miner, mines Monero using the XMRig CPU/GPU miner. Kannix/monero-miner is a defunct container that is no longer available on Docker Hub.
- However, attackers can select few other containers that perform the job of mining Monero using CPU/GPU.
- In addition to this, researchers have discovered several misconfigured Argo Workflows instances related to organizations from various sectors, such as logistics, finance, and technology.
Additional insights
Argo Workflows is a container-native workflow engine that runs on the popular Kubernetes engine. Having misconfigurations in this popular open-source product may lead to several security issues.
- According to the researchers, the Argo Workflows instances with misconfigured permissions can allow attackers to execute unauthorized code on the victim's system.
- The exposed instances can include sensitive information, such as code, credentials, and names of the private container images. This information can be used in further attacks.
Conclusion
The recent cryptominer attacks are worrying as there are hundreds of misconfigured deployments exposed on different servers. Apart from dropping dangerous cryptominers, such attacks drain the computing resources and wipe out the entire cost advantage factor behind the adoption of such technologies.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_318416708.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/08ab_shutterstock_1092298922.jpg)
