Cybercriminals are using a new method called RBAC Buster to create persistent backdoor accounts on Kubernetes clusters and use their resources for Monero crypto-mining.

The RBAC (Role-Based Access Control) system is used by admins to define which users or service accounts can access API resources and operations. By abusing RBAC, attackers can persist on compromised clusters even if the misconfiguration that provided initial access is fixed in the future.

The attack, called RBAC Buster, was discovered by Aqua Security’s research team and has been observed to be actively used to compromise 60 misconfigured Kubernetes clusters.

The attackers gain initial access by exploiting unauthenticated requests from anonymous users with privileges, and then they create a new ‘ClusterRole’ with near admin-level privileges and a ServiceAccount ‘kube-controller’ in the ‘kube-system’ namespace to gain persistence on the cluster.

Finally, they create a DaemonSet to deploy a Docker Hub-hosted container image (‘kuberntesio/kube-controller’) on all nodes and start mining Monero. The attack can result in unauthorized access, exposure of secrets, resource hijacking, and reputation damage.

Admins are urged to secure the API server, create and enforce strict API access policies, monitor audit logs, and encrypt any secrets and account credentials hosted in the cluster.

MITRE ATT&CK techniques

Initial Access Execution Persistence Defense Escalation Credential Access Discovery Impact
Exposed Sensitive Interfaces Deploy Daemonset Create ClusterRole Binding Masquerading List k8s Secrets Accese the Kubernetes API Server Resource Hijacking
Create ClusterRole Stop Competeing Campaigns List k8s Configmaps        
Images From a Public Registy List Pods