Fishing for Miners – Cryptojacking Honeypots in Kubernetes

The blog post discusses an experiment conducted to understand how attackers exploit Kubernetes clusters by setting up a honeypot with an intentionally exposed API server port. The experiment used Sysdig Secure to monitor for suspicious activity, which detected two notable attacks: a cryptojacking attempt and a second attack involving Linux.BackDoor.Gates DDOS malware. The cryptojacking attack involved trying to exploit the host's resources for Bitcoin mining by manipulating the system's crontab file, although it failed due to a malformed entry. The second attack saw an intruder using a container's shell access to run a program that attempted to embed itself in system directories and persist through reboots. The detailed forensics provided by Sysdig Secure and Sysdig Inspect allowed the researchers to reconstruct these attacks and understand the attackers' methods, highlighting the need for robust security measures in containerized environments. The post concludes by suggesting the closure of the open Kubernetes instance to prevent further unauthorized access.