Full Report
ARMO’s research team uncovered two cryptojacking campaigns targeting a deliberately exposed Kubernetes honeypot running Apache Druid, leveraging the known CVE-2021-25646 vulnerability for unauthenticated remote code execution. The first campaign, linked to the RUDEDEVIL/LUCIFE...
Analysis Summary
# Incident Report: Cryptojacking Campaigns Targeting Apache Druid on Kubernetes
## Executive Summary
ARMO’s research team identified two distinct cryptojacking campaigns targeting a Kubernetes honeypot via a known vulnerability in Apache Druid (CVE-2021-25646). Attackers leveraged unauthenticated Remote Code Execution (RCE) to deploy Monero miners and specialized malware. The incident highlights the persistent exploitation of unpatched, internet-facing services within containerized environments.
## Incident Details
- **Discovery Date:** Not explicitly specified (Research publication date: 2024)
- **Incident Date:** Ongoing during the research observation period
- **Affected Organization:** Kubernetes Honeypot (Research environment)
- **Sector:** Cybersecurity Research / Technology
- **Geography:** Global (Targeting internet-facing assets)
## Timeline of Events
### Initial Access
- **Date/Time:** Variable (Upon exposure of the honeypot)
- **Vector:** Exploitation of CVE-2021-25646
- **Details:** Attackers exploited a flaw in Apache Druid's ability to execute user-provided JavaScript code within "index" tasks, allowing for unauthenticated RCE.
### Lateral Movement
- **Details:** The attackers focused primarily on container-level persistence. In the second campaign, scripts were used to scan the local environment and identify resources to maximize mining efficiency.
### Data Exfiltration/Impact
- **Impact:** Significant CPU/Resource hijacking for cryptocurrency mining. Potential for lateral movement within the cluster was identified, though limited by the honeypot's isolation.
### Detection & Response
- **Detection:** Discovered via runtime security monitoring and log analysis of the Kubernetes honeypot.
- **Response:** Research team observed the behavior to map the "Diamond Model" of the intruders before neutralizing the pods.
## Attack Methodology
- **Initial Access:** RCE via CVE-2021-25646 in Apache Druid.
- **Persistence:** Utilization of `crontab` and deployment of specialized scripts (e.g., `dca.sh`) to ensure the miner restarts.
- **Privilege Escalation:** Attempts to run processes as root within the container.
- **Defense Evasion:** Use of packed binaries (UPX), clearing of command history, and killing competing mining processes.
- **Credential Access:** Not the primary focus; aimed at resource theft.
- **Discovery:** System profiling via `lscpu`, `nproc`, and environment variable checks.
- **Lateral Movement:** Scanned for other vulnerable Kubernetes services.
- **Collection:** N/A (Focused on resource utilization).
- **Exfiltration:** N/A.
- **Impact:** Resource exhaustion (Cryptojacking).
## Impact Assessment
- **Financial:** High operational costs due to unauthorized cloud resource consumption.
- **Data Breach:** None reported (Honeypot environment).
- **Operational:** Severe degradation of service performance due to 100% CPU utilization.
- **Reputational:** N/A for honeypot; high for organizations hosting similar vulnerable services.
## Indicators of Compromise
- **Network Indicators:**
- `194[.]38[.]23[.]171` (RUDEDEVIL C2)
- `107[.]189[.]3[.]150`
- **File Indicators:**
- `dca.sh` (Shell script for miner deployment)
- `sys-kernel-updates` (Malicious binary)
- MD5: `041dc73890f55cf68f7634f19574efc2`
- **Behavioral Indicators:**
- Unexpected high CPU usage in Apache Druid pods.
- Outbound connections to known Monero (XMR) mining pools.
## Response Actions
- **Containment:** Isolation of affected Kubernetes pods and namespaces.
- **Eradication:** Deletion of compromised pods and images; removal of malicious CRON jobs.
- **Recovery:** Redeployment of patched Apache Druid instances (Version 0.20.1 or later).
## Lessons Learned
- **Key Takeaways:** Attackers are actively scanning for known CVEs in niche database/analytics software (Druid) specifically when running on Kubernetes.
- **Vulnerability Management:** Relying on default configurations for complex software increases the attack surface significantly.
## Recommendations
- **Patch Management:** Immediately update Apache Druid to a version where CVE-2021-25646 is mitigated.
- **Network Policy:** Implement Kubernetes Network Policies to restrict egress traffic from pods to only known-good destinations.
- **Runtime Security:** Deploy tools capable of detecting anomalous process executions and file integrity changes within containers.
- **Least Privilege:** Ensure the Apache Druid service runs as a non-root user within the container.