What is Cryptojacking? Stop Cryptojacking Attacks with Mesh7’s API Security Mesh
When hackers use cloud cryptojacking, they search through an organization’s files and code for API keys to access their cloud services. Once access is gained, hackers siphon unlimited CPU resources for cryptomining, resulting in a huge increase in account costs.Jan 29, 2021
Recently the Microsoft Azure team detected a first-of-its-kind campaign that targeted a popular Kubernetes toolkit — Kubeflow, an open-source framework for running machine learning tasks in Kubernetes. These tasks tend to be relatively powerful, sometimes including GPUs, as in this case, so they are an attractive target for crypto-miners.
For more Kubeflow news: https://kubeflow-news.com/
Hackers seeded cryptocurrency mining malware across multiple such Kubernetes clusters.
As Kubernetes adoption has grown, hackers are increasingly attempting to break into Kubernetes deployments, as evidenced from the recent rise in Kubernetes breaches that exploit Kubeflow and previously seen vulnerabilities in API servers.
Kubernetes based attacks are very different from traditional application attacks. These attacks are often a combination of an application or infrastructure vulnerability exploited in conjunction with Kubernetes orchestration capabilities to intrude into Kubernetes clusters and then deploy the malicious applications and workloads.
These malicious workloads then persist as a man-in-the-microservice, within the
microservice environment itself. This can lead to resource hijacking, data destruction or denial of service attacks as well as data exfiltration issues.
Hackers generally follow the path of least resistance to what they want. The growing volume and severity of these types of attacks will continue because the path they follow offers little resistance.
Kubeflow can be used to deploy different machine learning frameworks, Jupyter notebook being well known among them. As you deploy the notebook, multiple services are interacting with each other using various protocols & APIs. Let’s look at a very typical exploit that leverages this behavior.
In this specific breach scenario, the Kubeflow dashboard was left accessible over the internet and hackers were able to gain access to Kubeflow.
A hacker can now use the Kubeflow dashboard to deploy a malicious container. This malicious container uses an image that runs a crypto mining program and uses the cluster resources to do cryptomining. Once the container has been deployed, it initiates the crypto mining process and then makes the connection to the crypto mining server.
Let’s take a look at how Mesh7 would handle this type of threat.
Mesh7 deploys itself transparently in an application environment. Deploying mesh7 requires no application code change and has zero impact on the application’s latency and stability. There are two main components; A set of distributed sentinels that are deployed in the application cluster (in this case the Kubeflow/notebook application) and a logically centralized controller that provides policies and receives telemetry from the distributed security layer. The Mesh7 controller can be deployed on-prem or as a SaaS service based on our customer’s preference.
As mentioned, when deployed, multiple Kubeflow services are interacting with each other using various protocols & APIs. As this traffic is flowing between these services, the Mesh7 distributed sentinels are transparently analyzing the traffic, and sending the metadata information about APIs and other protocol interactions between the Kubeflow services to the Mesh7 controller.
The controller performs service and workload discovery, using contextual information about PODs, deployments, services and so on, by querying the application Kubernetes cluster. It also receives telemetry from the distributed security layer. Mesh7 then correlates this contextual workload information with the application telemetry and models application behavior into an Application security graph.
Mesh7 Application Security Graph shows various application services and how they are interacting with each other. This is important, as applications are becoming distributed, more and more communication is happening across network boundaries, precisely knowing these application interactions is critical for securing and deploying the applications. For our customers, their security teams leverage our dashboard to not only see which services are present but they now can instantly tell if there are any unsanctioned or unauthorized services present or interactions happening.
The Application Security Graph presents a 360-degree view of the application, enabling our customers to observe the interactions in all three essential directions; access from the public internet to your application (N->S), internal application interactions (E->W), and the interactions with 3rd party services and cloud services at their points of Egress.
Mesh7 can instantly see:
- Which services are external facing and are receiving requests from the public internet. This ensures that the external traffic is only coming to the services that you expect to be user/partner facing.
- We can also audit the interactions between workloads and various services to ensure they are behaving as expected and that none are unsanctioned or unauthorized.
- Additionally, we can see which services make outbound requests to the external world. As many services are consuming the external cloud services, being certain about the outbound interactions from your application is critical from a security point of view.
Let’s explore how the observability in the outbound connection helps us to detect the attacks. We can zoom in to a specific service and look at the interactions of that specific service. Once in the service view, we can see the various APIs and connection requests that service is receiving in the incoming direction as well as the API calls and connection requests originating from the service.
When initially deployed, Mesh7 starts in learning mode to learn what needs to be in the Application Security Graph. It profiles the application’s behavior in terms of how the different services are interacting with each other and creates the application’s baseline, which represents good or normal application behavior. Once the baseline has been established and the normal behavior of an application has been learned, you can then switch Mesh7 into enforcement mode.
In Enforcement mode, Mesh7 continuously monitors the application’s behavior and watches for any deviations from normal. If it finds critical deviations, it will notify security admins about this abnormal behavior. This allows Mesh7 to detect advanced breaches, such as this Kubeflow breach before they can do any damage.
In this specific breach scenario, the Kubeflow dashboard was left accessible over the internet, and hackers were able to gain access to Kubeflow and use the Kubeflow dashboard to deploy a malicious container. This malicious container would then use an image that runs a crypto mining program and uses the cluster resources to do cryptomining. Once the container has been deployed, it initiates the crypto mining process and then makes the connection to the crypto mining server.
In a straightforward manner, Mesh7’s application behavioral modeling and behavioral profiling will detect this abnormal container & associated breach. The Mesh7 Application Security Graph is constantly baselining the application behavior and monitoring for any deviations from that baseline. When a hacker instantiates a new deployment (crypto-miner in this example), and it then tries to connect to an external domain, the security graph immediately detects this deviation as abnormal. There are two deviations, the first deviation is the addition of new deployment in the environment and the second is the outbound connection from the newly instantiated container.
The Mesh7 controller then uses reputation and threat intelligence data to find out if the outbound connection is to a malicious domain. In this case, the domain is found to be associated with a crypto mining domain. The Mesh7 controller immediately raises a security event and notifies the admin in real time of this malicious behavior. This notification can happen across the customers chosen method or channel, Slack being one example.
As the admin investigates the notification, the Mesh7 controller provides an intuitive visual representation of the attack in the application security graph and shows the violation in red for easy identification. The admin can then zoom into the violating service behavior and can immediately find out which domain the newly instantiated workload is connecting out to. This provides true application layer security observability and enables the admin to detect this access to a malicious crypto-mining domain very quickly in real-time.
This one click investigation capability allows security team members to quickly find the service that is in violation and the related interactions of the service along with various other related analytics on that service.
For overall safety, Mesh7 provides various risk trackers that continually scan for any sign of trouble. This added layer of observability and security further enables early detection with advanced analytics & insights into the behavioral activity of the application. These deep layer 7 aware risk trackers are essential to have in place.
As mentioned, hackers generally follow the path of least resistance to what they want. The growing volume and severity of these types of attacks will continue because the path they follow offers little resistance. Until there is widespread adoption of layer 7 aware solutions like Mesh7, these attacks will continue to make headlines. That’s why it is essential to protect yourself with our API Security Mesh solution. Please let us know how we can help. https://mesh7.com
