Kubernetes clusters used for cryptocurrency mining are being targeted in the wild by a new form of malware. Details of this were released by security researchers at Palo Alto Networks’ Unit 42. The malware has been named Hildegard and was first detected in January. It is believed that the TeamTNT hacker group designed it.
Hildegard targets Kubernetes clusters using a misconfigured kubelet (the primary node agent running on each Kubernetes node). After gaining access, the malware tries to spread to as many containers as possible before launching its cryptojacking capabilities.
TeamTNT probably did this
Cryptojacking is the process in which infected networks or servers are violated without permission, to mine for cryptocurrency. The malware utilizes many of the same tools and domains used by TeamTNT in earlier campaigns.
It has new capabilities that make it harder to detect and others to enhance persistence. In one of the examples, Hildegard used two different ways to reach the command-and-control server. The malware also copies a Linux process name to disguise itself when it’s communicating.
TeamTNT were last prominently visible in January, with a campaign targeted Docker application programming interfaces and AWS (Amazon Web Services) credentials, using a botnet.
The style of attack
Tal Morgenstern, the co-founder and chief product officer at Vulcan Cyber, said that in this complex attack, the hackers are using misconfigurations and known vulnerabilities. DevOps and IT teams have to learn to coordinate with each other in the security domain to put remediation first.
Jack Mannino, the CEO at nVisium, an app security provider, notes that the combination of weakness in access control and isolation, this style of attack is a sensible way for hackers to gain access into a cluster where they establish command and control.