Intezer detected a new attack vector against Kubernetes clusters, via a set of misconfigured Argo Workflows instances. The company, which works to detect threat mutations by analyzing re-used code, noted that it has already observed in-the-wild cryptominers employing the method.
Intezer noted that it has identified infected nodes with the potential for “larger scale attacks” due to “hundreds of misconfigured deployments,” including Argos Workflows instances belonging to various tech, finance and logistics sector companies. Argo Workflows offer an open-source, container-native workflow engine designed to run on K8s cluster; its misconfigured permissions allow threat actors to potentially execute unauthorized code.
The unprotected instances can reportedly contain sensitive code, credentials and private container image names, as well as, potentially, permissions configured to allow visiting users to deploy workflows. Intezer also detected that some misconfigured nodes have been the target of threat actors, including the launch of cryptocurrency miner containers.
Among Intezer’s recommendations are:
- Reviewing logs and workflow timelines for suspicious activity.
- Maintaining a “safety net” to determine only trusted code is run.
- Executing runtime protection.
- Adopting a set of “best practices” for securing Kubernetes.
According to 2020 data from the Cloud Native Computing Foundation, 91 percent of respondents use Kubernetes for container orchestration.