Illicit Crypto Miners Find a New Fave in Privacy Coin DeroCrowdStrike Finds Dero Cryptojacking Operations on Kubernetes Cluster
Threat actors who mine digital assets using other people's infrastructure found a lucrative new cryptocurrency to motivate their hacking: privacy-focused currency Dero.
The crypto crash of 2022 undercut the rewards of cryptojacking by between 50% and 90%, cybersecurity firm CrowdStrike said. Not so for Dero, "which offers larger rewards" to attract miners and provides cutting-edge anonymity features, making it a "perfect match" for attackers on the lookout for an illicit payday.
Hence what the cybersecurity firm said in research published Wednesday is the first-ever detected Dero cryptojacking operation. CrowdStrike said the operation has targeted Kubernetes infrastructure on three U.S.-based servers since February.
Cryptojacking is "always evolving," as adversaries learn how to monetize new cryptocurrencies and identify weaknesses in various attack surfaces, Manoj Ahuje, senior threat researcher for cloud security at CrowdStrike, told Information Security Media Group.
Bad actors have potentially deployed more than 4,000 miner instances during this campaign. It is tough to track funds in Dero wallets due to the cryptocurrency's privacy and anonymity features. Rather than resting on chronological blocks of transactions, Dero rests on a structure called a directed acyclic graph that's more akin to a tree with branches than a chain. The Dero white paper says transactions can't be followed "in a way that reveals who sent or received coins."
The campaign operators find and target exposed Kubernetes clusters that can be accessed anonymously through the application programing interface, along with nonstandard ports that can be accessed from the internet. A user with sufficient privilege can unintentionally expose a secure Kubernetes API on the host, allowing the threat actor to bypass authentication. The attacker then deploys a Kubernetes DaemonSet, which in turn deploys a malicious pod on each node of the Kubernetes cluster to allow the attacker to engage resources of all of the nodes at the same time. "The mining efforts by the pods are contributed back to a community pool, which distributes the reward, i.e., Dero coin, equally among its contributors through their digital wallet," CrowdStrike said.
In cryptojacking campaigns, the threat actors usually move laterally to attack other resources or scan the internet for discovery - steps that the latest Dero campaign does not follow post-compromise. The attackers also do not attempt to delete or disrupt the cluster operation but deploy a DaemonSet to mine Dero by masquerading as common Kubernetes log names.
"These focused behaviors seem to clarify the intent of this campaign, which is that the attackers are solely attempting to mine for Dero," CrowdStrike said.
The attack flow is nearly identical to that of a monero-focused campaign running in parallel to the Dero one. "Both campaigns are trying to find undiscovered Kubernetes attack surfaces and are battling it out," CrowdStrike said.
The monero campaign "kicks out the DaemonSets used for Dero cryptojacking in the Kubernetes cluster before taking it over," CrowdStrike said. The campaign focused on monero mining deliberately deletes existing DaemonSets to disrupt the Dero campaign before taking over the cluster and using the deployed resources for its own purposes.