New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

March 15, 2023Rabbi LakshmananServer Security / Cryptocurrency

Cybersecurity researchers have uncovered the first-ever illegal cryptocurrency mining campaign used to create Dero since its launch in February 2023.

In a new report shared with The Hacker News, CrowdStrike states, “The new Dero cryptojacking operation uses anonymous access enabled in the Kubernetes API to locate Kubernetes clusters, listening on non-standard ports accessible from the internet. I am concentrating on

This development marks a notable change from Monero, a popular cryptocurrency used in such campaigns. This is suspected to have something to do with the fact that Dero “offers greater rewards and offers equal or better anonymization capabilities.”

The attack, which is attributed to an unknown financial actor, begins by scanning Kubernetes clusters with authentication set to –anonymous-auth=true. This allows anonymous requests to the server and drops the initial payload from his three different US-based IP addresses.

This involves deploying a Kubernetes DaemonSet named ‘proxy-api’. It is used to drop malicious pods onto each node of the Kubernetes cluster to initiate mining activity.

To that end, the DaemonSet’s YAML file is organized to run a Docker image containing a “pause” binary, which is actually a Dero coin miner.

“In a legitimate Kubernetes deployment, the ‘suspended’ container is used by Kubernetes to bootstrap the pods,” the company said. “Attackers may have used this name to slip in to avoid obvious detection.”

The cybersecurity firm said it identified a parallel Monero mining campaign that also targeted exposed Kubernetes clusters by attempting to remove an existing “proxy-api” DaemonSet associated with the Dero campaign.

This marks an ongoing battle between cryptojacking groups vying for cloud resources to gain and maintain control of the machine and consume all of its resources.

CrowdStrike threat researchers Benjamin Grap and Manoj Ahuje said: