- Customers affiliated to Microsoft’s Azure computer network misconfigured some nodes and allowed hackers to use them to mine Monero (XMR).
- Attacks affected 10 nodes of the Kubeflow learning machine that is part of the Azure network.
In a June 10 report, Microsoft revealed details about the discovery of a vulnerability that was exploited by attackers in its Azure computer network. The report was published by Yossi Weizman, a security research software engineer for the Azure Security Center (ASC). The vulnerability allowed attackers to use the Azure network, through the nodes of a learning machine called Kubeflow to mine Monero (XMR).
Kubeflow is a learning machine toolkit for the Kubernetes platform. Microsoft claims that Kubeflow has gained popularity and because of its computational power, it has become a target for cyber attacks:
Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.
Misconfigured nodes allowed hacker to mine Monero (XMR)
The Azure Security Center was able to determine that the access vector of the attack was the Kubeflow framework. The ASC discovered a suspicious image in a data repository within clusters of the learning machine. This image was running the XMRIG miner, as seen below.
According to ASC, the framework of the Kubeflow learning machine is made up of several services including: framework for training models, Katib and Jupyter servers, among others. Users of the virtual machine access these services through an internal dashboard from the Kubeflow node. The configuration of the dashboard can be changed for the user’s convenience, as was the case with this attack according to the Azure Security Center. However, this configuration allowed the nodes to be exposed to the internet and left them susceptible to attacks:
Users should use port-forward to access the dashboard (which tunnels the traffic via the Kubernetes API server). (…) without this action, accessing to the dashboard requires tunneling through the Kubernetes API server and isn’t direct. By exposing the Service to the Internet, users can access to the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.
This way attackers can access Kubeflow’s dashboard and can deploy a malicious backdoor container. Using this method, attackers can upload a malicious image like the one shown above to the Jupyter notebook server to mine Monero. The Azure Security Center made a number of recommendations to prevent these attacks and invited its users to review the security aspects when using Kubeflow.
As reported by CNF, Monero is one of the preferred cryptocurrencies for these attacks. Due to its characteristics the identity of the attackers is protected. In May, a series of reports from recognized scientific institutions, such as the National Supercomputing Service of the United Kingdom, revealed that attackers used the computer power of their supercomputers to mine Monero. Among the countries affected were the United Kingdom, Germany, Switzerland and Spain.