Misconfigured Argo Workflows Instances Employed for Attacking Kubernetes Clusters


Intezer has discovered new Kubernetes cluster attack vectors using misconfigured instances of Argo Workflows. Threat actors have already been benefitted from this vector as researchers have noticed the use of such a wild way for the operators dropping crypto miners. 

Argo Workflows is an open-source workflow system that can be used for coordinating parallel operations at the Kubernetes region, which enables computer-intensive activities such as machine education and big data processing to accelerate processing time. It is also used in general to facilitate the installation of containers. 

Meanwhile, Kubernetes is a popular cloud engine for container orchestration. It is an open-source framework that enables automated containerized workloads, services, and applications deployed, scale and managed over hosts clusters. 

According to the investigation by Intezer, malware controllers drop encryption devices through Argo into the cloud, because certain instances are publicly visible through dashboards that require no authentication from outside users. Through these malfunctioning permissions, actors at risk can run unauthorized code within the environment of the target. 

Intezer security researchers, Ryan Robinson and Nicole Fishbein wrote a report documenting the intrusion and noted they had already detected infected nodes. Both indicated the attacks were serious, considering hundreds of misconfigured deployments had occurred and crypto miners like the Kannix/Monero miner were discovered by this attack vector. 

"We have detected exposed instances of Argo Workflows that belong to companies from different sectors including technology, finance, and logistics. Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. Argo Workflows instances with misconfigured permissions allow threat actors to run unauthorized code on the victim's environment," Robinson and Fishbein said. 

Confidential information such as code, credentials, and picture names in private containers may be included in the exposed instances. Researchers also noticed that permissions that allow visitors to deploy workflows in several instances are configured. They have also discovered that threat actors target some nodes that are wrongly installed.

According to researchers, the "Kannix/ Monero-miner," demands very little skill to use, and further this study indicates that other security teams have identified major crypto-currency mining operations against the clusters of the Kubernetes. 

"In Docker Hub, there are still several options for Monero mining that attackers can use. A simple search shows that there are at least 45 other containers with millions of downloads," the study said. 

Fishbein and Robinson recommend users browse the Argo Workflows dashboard using an unauthenticated incognito browser outside corporate situations to check for misplacements. Executives can also request the API for an instance and inspect the status code.