Kubeflow Attack on Microsoft

Kubernetes, also known as K8s, is an open-source system created in the year 2014 for automating deployment, scaling, and management of containerized applications. So, what’s the fuss all about? Microsoft was recently hit with a big crypto mining attack, which took place due to a misconfigured dashboard.

All about Cryto Currency

In Leighman’s terms, cryptocurrency is the transfer of digital assets. The core concept is like that of a bank but instead of a distributed spreadsheet of transactions but, instead of several spreadsheets crypto has single spreadsheet called the ledger stored in several devices around the globe. Crypto Currency is called because it’s secured by cryptography.

Advantages of using Cryto?

  • It’s decentralized, which means all transactions are stored in one ledger, there are many copies of that ledger, anyone who is a part of the network has one. If you’ve these many copies of the ledger, it becomes easy to tell if someone’s doing something fishy.
  • There are several people around the globe who don’t have access to traditional banks which require a lot of documentation and paperwork but have access to the internet which is all that is needed to use crypto.
  • A major advantage is that you don’t have to wait for half a day for international transactions, with no spending limits plus you don’t have any exchange rates, interest rates and even transactions fees are next to zero.

So, What's Cryto Mining?

Mining is a process where we crunch through these transactions on our copy of the ledger by lending our system’s computational power and receive crypto as compensation. There are over one million Bitcoin miners, and it is just one of the several thousand types of cryptocurrencies. A few of the others are Ethereum, Monero XMR & Litecoin. It can be a profitable process depending on the crypto being mined, but it generates a lot of heat and requires a lot of energy, making it expensive to mine and reduces the lifespan of the hardware

Crypto Mining on the Cloud

Although many users use Cloud instances for mining crypto, it's not considered healthy, it puts an excess strain on cloud resources, inflicts additional cloud and utility costs on attacked parties, shortens the lifespan of IT devices and causes unnecessary business disruption. Cloud providers like GCP & AWS have put strict measures to prevent users from mining on their trial-based service and those who cannot comply are banned from the platform.

Getting Back To The Point

Yossi Weizman, a senior security research software engineer at Microsoft’s Azure Security said in a post on Tuesday :

A burst of these malicious TensorFlow deployments was simultaneous, showing that the attackers initially scanned the clusters, kept a list of potential targets, and then pulled the trigger on all of them at once.

He further said that the attacker used two separate images: the latest version of TensorFlow (tensorflow/tensorflow: latest) & the latest version with GPU support (tensorflow/tensorflow: latest-gpu). Using “Tensorflow images” was a smart move because if they were monitored, they couldn’t be tracked because of the legitimate images of Tensorflow. The attackers used CPU based containers for mining Monero At least two pods were deployed on each cluster: One for CPU mining, and the other for GPU mining. The GPU container used the open-source ETHminer to mine Ethereum, while the CPU miner used the aforementioned open-source XMRIG.

As Weizman detailed in the post, Kubeflow Pipelines is a platform for deploying ML pipelines, based on Argo Workflow, which an open-source, container-native workflow engine for orchestrating parallel jobs on Kubernetes. Pipeline entails a series of steps, each one of them as an independent container, that together form a ML workflow. The image of the container that runs in each step is determined in the pipeline configuration.

Argo Workflow

How would you prevent it?

Microsoft advised that those who run Kubeflow should make sure they’ve locked down the centralized dashboard, so it’s not insecurely exposed to the internet. If Kubeflow has to be exposed to the internet, make sure it requires authentication to log into it.

Tagged in : kubernetesmicrosofttensorflowcryptominingcryptocurrency

Dave Zachariah

Dave has been a passionate entrepreneur since the age of 16 and is currently working at Cyber Efficient with the goal of making businesses easier.