Microsoft Azure Machine Learning Clusters Cryptojacked to Mine Monero

Published at: June 12, 2020

Microsoft announced on June 10 that it had discovered a number of cryptojacking attacks on powerful machine-learning clusters on its Azure cloud computing network.

In a blog-post, the company said that some customers had misconfigured nodes, allowing attackers to hijack them to mine the privacy-focused cryptocurrency Monero (XMR).

Default settings overridden

Microsoft said that it had discovered tens of clusters affected by the attack, which targets a machine learning toolkit, Kubeflow, for the open-source Kubernetes platform.

By default the dashboard to control Kubeflow is only accessible internally from the node, so users need to use port-forwarding to tunnel in via the Kubernetes API. However, some users had modified this, potentially for convenience, directly exposing the dashboard to the internet.

With access to the dashboard, attackers had a number of available vectors through which to compromise the system.

Once the shield is down, attack

One possibility is to set up or modify a Jupyter notebook server in the cluster with a malicious image.

The Azure Security Center team discovered a suspect image from a public repository on a number of machine learning clusters.

Through investigating the layers of the image, the team realized that it ran an XMRig miner, to surreptitiously use the node to mine Monero.

Machine learning clusters are relatively powerful and sometimes contain GPUs, making them an ideal target for cryptojackers.

As Cointelegraph reported, cybersecurity firm Sophos recently revealed that attackers had breached vulnerable Microsoft SQL Server databases to install the same XMRig software which mines Monero.

Tags
Related Posts
Detected Cryptojacking Prompts Microsoft to Remove Eight Free Apps from Microsoft Store
United States-based software corporation Microsoft has removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of surreptitious Monero (XMR) coin mining code. The news was reported by Symantec on Feb. 15. Stealth crypto mining — also know as cryptojacking – works by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Symantec, the firm first detected malicious XMR mining code within eight apps — issued by three developers — on Jan. 17. After Symantec alerted Microsoft, the corporation is reported to …
Altcoin / Feb. 15, 2019
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
Watch Out for This Cryptojacking Botnet That Steals Data From Its Victims
The threat intelligence team at Cisco Systems discovered a new cryptojacking botnet named “Prometei.” This botnet both mines Monero (XMR) and steals data from the targeted system. According to the paper sent to Cointelegraph, the botnet has been active since May. It relies on 15 executable modules to recover administrator passwords from the infected computer. Password validity is verified by sending them to a control server connected to other networks. Once the malware has obtained access to the user’s administrative rights, it proceeds to record all data contained within the system. Cisco Talos estimates this botnet may contain up to …
Technology / July 22, 2020
Cybercriminals Sneak in Crypto Mining Malware via Confluence Software Exploit
Cybercriminals are now reportedly exploiting known vulnerability CVE-2019-3396 in the software Confluence, a workspace productivity tool made by Atlassian, according to a report by security intelligence firm Trend Micro Inc. on May 7. The exploit that has been developed allows cybercriminals to stealthily install and run a monero (XMR) miner on a vulnerable computer, as well as covering up the mining activity by using a rootkit to hide the malware’s network activity and toll on the host’s central processing unit (CPU). According to an Atlassian security advisory, the vulnerability in question only applies to some older versions of Confluence. The …
Altcoin / May 7, 2019
Government Sites in India Among Prime Targets for Cryptojacking, Research Shows
Official government websites have become a prime target for cryptojacking in India, The Economic Times (ET) reports today, September 17. Cryptojacking is the practice of infecting a target with malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. New research from cybersecurity analysts reportedly reveals that widely trusted government websites – including those of the director of the municipal administration of Andhra Pradesh, Tirupati Municipal Corporation and Macherla municipality – have become the latest to be exploited by the practice. Security Researcher Indrajeet Bhuyan told ET that: “Hackers target government websites for …
Altcoin / Sept. 17, 2018