Microsoft has warned about an ongoing series of attacks targeting Kubernetes clusters running Kubeflow ML instances. These attacks are deploying malicious containers mining Monero and Ethereum. According to Microsoft, these attacks started at the end of May.
What’s the threat?
At the end of May, security researchers observed a sudden increase in TensorFlow ML pod deployments. Attackers were proactively scanning clusters and had a list of potential targets.
- The pods were genuine, however, the attackers tampered with them to mine cryptocurrency on targeted Kubernetes clusters by deploying ML pipelines, leveraging the Kubeflow Pipelines platform.
- The attackers used internet-exposed Kubeflow dashboards to gain initial access to the clusters. This was followed by the deployment of cryptocurrency miners.
- Subsequently, they deployed two separate pods on each of the targeted clusters: one was used for GPU mining ( Ethminer), and the other one used for CPU mining (XMRig).