In a troubling development for cybersecurity professionals, threat actors are increasingly targeting unsecured Kubernetes clusters to deploy cryptocurrency mining operations, leveraging the computational resources of victim organizations without their knowledge.
These attacks exploit vulnerabilities in containerized environments, particularly focusing on misconfigurations and weak authentication mechanisms that allow unauthorized access to Kubernetes infrastructure.
The attacks typically begin with credential compromise through password spray techniques, followed by the creation of unauthorized resource groups and container deployments.
.png
)
Once threat actors gain access to a Kubernetes cluster, they can deploy numerous containers dedicated to cryptomining activities, effectively converting an organization’s computational resources into profit-generating assets for the attackers.
A particularly concerning case emerged over the past year where attackers employed sophisticated password spray attacks against cloud tenants in the education sector.
The attacks involved the use of a Command Line Interface tool called AzureChecker.exe, which connected to malicious domains to download AES-encrypted data containing target information for the password spray operation.
Microsoft researchers identified a threat group tracked as Storm-1977 behind these attacks.
Upon analyzing the attack methodology, Microsoft Threat Intelligence observed that the tool accepted a file named accounts.txt containing username and password combinations as input, which was then used against target tenants for validation.
In one documented incident, researchers witnessed a successful account compromise where the threat actor leveraged a guest account to create a resource group within the compromised subscription.
Following initial access, the attacker proceeded to create more than 200 containers within the resource group and configured them specifically for cryptocurrency mining operations.
Attack Detection Through Kubernetes Auditing
A crucial element in detecting these cryptomining operations is understanding the distinctive patterns that appear in Kubernetes audit logs.
When threat actors deploy their mining infrastructure, they often require privileged access, which creates identifiable signatures in the cluster’s audit trail.
Security teams can implement specific hunting queries to identify suspicious activities such as privileged pod deployments.
For example, the following query can detect the creation of privileged containers, a common requirement for cryptomining operations:-
CloudAuditEvents
where Timestamp > ago(1d)
where DataSource == "Azure Kubernetes Service"
where OperationName == "create"
where RawEventData.ObjectRef.resource == "pods"
where RawEventData.ResponseStatus.code startswith "20"
extend PodName = RawEventData.RequestObject.metadata.name
extend PodNamespace = RawEventData.ObjectRef.namespace
mv-expand Container = RawEventData.RequestObject.spec.containers
extend ContainerName = Container.name
where Container.securityContext.privileged == "true".webp)
The attack paths against Kubernetes environments shows how threat actors progress from initial access to cryptocurrency mining deployment.
Organizations are advised to implement robust security measures including proper authentication controls, network traffic restrictions, and continuous monitoring of containerized environments to identify and mitigate these threats before they can establish cryptomining operations.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->Â Get Your Free Copy
