Illegal crypto miners find a new favorite in Privacy Coin Dero
Blockchain and cryptocurrency, cloud security, cryptocurrency scams
CrowdStrike Finds Dero Cryptojacking Operations on Kubernetes Cluster
Rashmi Ramesh (rashmiramesh_) •
March 15, 2023
Threat actors who mine digital assets using other people’s infrastructure found a lucrative new cryptocurrency to motivate their hacking: privacy-focused currency Dero.
Cryptocrash in 2022 undermined the rewards of cryptojacking by between 50% and 90%, cybersecurity firm CrowdStrike said. Not so for Dero, which “offers bigger rewards” to attract miners and provides cutting-edge anonymity features, making it a “perfect match” for attackers looking for an illegal payday.
Therefore, what the cybersecurity firm said in research published Wednesday is the first Dero encryption operation ever detected. CrowdStrike said the operation has targeted Kubernetes infrastructure on three US-based servers since February.
Cryptojacking is “always evolving” as adversaries learn to monetize new cryptocurrencies and identify weaknesses in various attack surfaces, Manoj Ahuje, senior cloud security threat researcher at CrowdStrike, told the Information Security Media Group.
Bad actors have potentially deployed more than 4,000 miners during this campaign. Tracking funds in Dero wallets is difficult due to the cryptocurrency’s privacy and anonymity features. Instead of resting on chronological blocks of transactions, Dero rests on a structure called a directed acyclic graph that is more akin to a tree with branches than a chain. The Dero white paper states that transactions cannot be tracked “in a way that reveals who sent or received coins.”
The campaign operators find and target vulnerable Kubernetes clusters that can be accessed anonymously through the application programming interface, along with non-standard ports that can be accessed from the Internet. A user with sufficient privilege could inadvertently expose a secure Kubernetes API on the host, allowing the threat actor to bypass authentication. The attacker then deploys a Kubernetes DaemonSet, which in turn deploys a malicious pod on each node of the Kubernetes cluster to allow the attacker to engage the resources of all nodes simultaneously. “The mining effort from the pods is contributed back to a community pool, which distributes the reward, i.e. the Dero coin, equally among the contributors through their digital wallet,” CrowdStrike said.
In cryptojacking campaigns, threat actors typically move laterally to attack other resources or scan the Internet for discoveries—steps that the latest Dero campaign does not follow after compromise. The attackers also do not attempt to delete or disrupt the cluster operation, but instead deploy a DaemonSet to mine Dero by masquerading as regular Kubernetes log names.
“This focused behavior seems to clarify the intent of this campaign, which is that the attackers are solely trying to mine for Dero,” CrowdStrike said.
The attack flow is almost identical to that of a mono-focused campaign running parallel to the Dero. “Both campaigns are trying to find undiscovered Kubernetes attack surfaces and fighting against it,” CrowdStrike said.
The Monero campaign “knocks out DaemonSets used for Dero cryptojacking in the Kubernetes cluster before taking it over,” CrowdStrike said. The campaign focused on monero mining deliberately deletes existing DaemonSets to disrupt the Dero campaign before they take over the cluster and use the deployed resources for their own purposes.