According to a warning from security vendor Intezer, cybercriminals have been exploiting Argo Workflows to attack Kubernetes deployments and install crypto-miners.
The Intezer team recognized a spate of vulnerable instances run by organizations in technology, finance, and logistics sectors, which let anyone install workflows. However, malevolent actors have, in some cases, targeted the nodes to deploy crypto-miners.
Argo Workflows, an open-source workflow engine that runs on Kubernetes, lets users run corresponding jobs easily from a vital interface, minimizing deployment intricacy and leaving less possibility for mistakes.
Argo uses YAML files to describe the type of work to be accomplished, with the workflows being performed either from a template or submitted directly using the Argo console.
According to Intezer, on the misconfigured instances malicious actors could access an open Argo dashboard and install their workflow. In one of the observed attacks, the rival deployed kannix/monero-miner, a recognized crypto-currency mining container that has been eliminated from Docker Hub.
The container uses XMRig which cybercriminals are abusing to run crypto-jacking operations, as it can be easily configured by simply changing the address of the crypto-wallet the mined virtual coin should be deposited to.
“Another option is to query the API of your instance and check the status code. Make a HTTP GET request to [your.instance:port]/api/v1/info. A returned HTTP status code of “401 Unauthorized” while being an unauthenticated user will indicate a correctly configured instance, whereas a successful status code of “200 Success” could indicate that an unauthorized user is able to access the instance,” Intezer explained.
Users are also directed to check their Argo instances for any wary activity, and ensure that no workflows have been running for an unwarranted amount of time, as this could show that a crypto-miner has been deployed in the cluster.