The cybersecurity experts at Intezer have recently detected a cyberattack, and soon after detecting they have warned that the threat actors of this attack are using the Argo Workflows engine to start attacks on Kubernetes clusters to easily deploy crypto miners.
After detecting the cyberattack, the researchers started their deep investigation, and they found a number of vulnerable receptacles which are specifically used by organizations that deal with the following sectors:-
- Technology sector
- Financial sector
- Logistics sector
Hackers abused Argo
Argo Workflows is an open-source containerized workflow engine that generally serves with Kubernetes, and it enables users to efficiently control parallel jobs from a convenient interface.
Nowadays the threat actors are targetting Argo because it keeps a huge number of users connected. Argo Workflows utilizes YAML files to determine the type of work that is to be performed.
According to the experts of Interzer report, whenever the permissions are misconfigured then it becomes a convenient opportunity for the threat actors and they easily utilize this chance to get access to an open Argo dashboard and implement their own workflow.
However, during the investigation, it also came out that the threat actors of this attack have also deployed a popular cryptocurrency mining container, kannix/monero miner.
A new attack vector that is already used in the wild
The threat actors are already taking advantage of the new vector, and it has also been detected that several operators are dropping crypto miners and are using this attack vector.
However, the experts claim that the hackers easily gain access to this kind of cluster through Internet-exposed Argo dashboards.
Once they gain access, soon they deploy their own malicious workflows simply by using different Monero miner containers, which also involves kannix/monero-miner, a deceased container that generally mines Monero utilizing the XMRig CPU/GPU miner.
Mitigation Proposal
The analysts of Intezer pronounced that if any users want to check whether they are misconfigured or not, well in that case they simply try accessing the Argo Workflows dashboard from any unauthenticated incognito browser that is present outside the corporate setting.
Apart from this, there is another way to check, that is to put a query the API of the user instance and verify the status code. There is no specific method that will help to bypass this kind of attack, but the experts have asserted that methodologies like the principle of least privilege (PoLP) should be embraced.
