According to a warning from security vendor Intezer, threat actors are leveraging Argo Workflows to target Kubernetes deployments and deploy crypto-miners.
The Intezer team discovered a number of unprotected instances run by companies in the IT, finance, and logistics industries that allowed anyone to deploy workflows. Malicious actors have used the nodes to deploy crypto-miners in some circumstances.
Argo Workflows is an open-source, Kubernetes-based workflow engine that allows customers to perform parallel operations from a single interface, minimising deployment complexity and reducing the risk of failures.
Argo works using YAML files to define the type of work to be done, with workflows being run either from a template or directly from the Argo console.
Threat actors might access an open Argo dashboard and deploy their workflow on the misconfigured servers, according to Intezer. The adversary used kannix/monero-miner, a known crypto-currency mining container that has been removed from Docker Hub, in one of the reported attacks.
Threat actors are abusing the container, which uses XMRig to mine for Monero and can be easily adjusted by simply altering the address of the crypto-wallet where the mined virtual coin should be deposited, to execute crypto-jacking activities.
Users can simply access the Argo Workflows dashboard from outside the corporate network, using an incognito browser, and without authentication, to see if their instances have been correctly configured.
“Another alternative is to query your instance’s API and look at the status code. Request information from [your.instance:port]/api/v1/info using HTTP GET. While an unauthenticated user, a returned HTTP status code of “401 Unauthorized” indicates a correctly configured instance, whereas a successful status code of “200 Success” could indicate that an unauthorised user is able to access the instance, according to Intezer.
Users should also verify their Argo instances for any strange behaviour and make sure that no workflows have been running for an extended period of time, since this could suggest the deployment of a crypto-miner in the cluster.