Advisory Details How to Defend Container Tech from Crypto Miners

U.S. cybersecurity agencies are following up on a warning of active Kubernetes exploitation by the Russian government with lengthy specifics on how to mitigate such cyberattacks, including from those trying to suck up victim resources to mine cryptocurrency.

Kubernetes is an open-source, cloud-based system used to manage applications by packing everything needed to run them in an easily deployable image format referred to as a container. 

“While data theft is traditionally the primary motivation, cyber actors seeking computational power (often for cryptocurrency mining) are also drawn to Kubernetes to harness the underlying infrastructure,” reads an advisory the National Security Agency and Cybersecurity and Infrastructure Security Agency issued Tuesday. “In addition to resource theft, cyber actors may also target Kubernetes to cause a denial of service.”

On July 1, the agencies joined the FBI and the United Kingdom’s National Cyber Security Center in attributing an advanced password compromise campaign to a military unit on the Russian General Staff Main Intelligence Directorate, or GRU. That advisory said the group was using Kubernetes’ automation capabilities to dramatically speed up brute-force password hacking techniques. Their targets included a range of organizations, mainly in the U.S. and Europe, including those affiliated with the media, political parties, the military and other critical infrastructure, according to that advisory.

Tuesday’s advisory is an in-depth description of Kubernetes architecture and includes appendices for implementing some of the major recommendations the agencies make for securing it. 

To foil crypto miners—parasitic adversaries trying to use organizations’ computing power to perform the mathematical calculations necessary to validate additions to the blockchains that underlie cryptocurrencies—the advisory suggests using more recent versions of Kubernetes to set an acceptable threshold for the creation of application holding units referred to as pods.  

“Kubernetes 1.10 and newer supports LimitRange by default,” the agencies said. “ResourceQuotas are restrictions placed on the aggregate resource usage for an entire namespace, such as limits placed on total CPU and memory usage. If a user tries to create a Pod that violates a LimitRange or ResourceQuota policy, the Pod creation fails.” 

Most of the advisory is focused on ways to apply common security principles such as least privileged access and segmentation to the Kubernetes environment, where the default settings are overly permissive.