"First Known Dero Cryptojacking Operation Seen Targeting Kubernetes"

The first known cryptojacking operation mining the Dero cryptocurrency has been observed targeting vulnerable Kubernetes container orchestrator infrastructure with exposed Application Programming Interfaces (APIs). Dero is a privacy coin advertised as a Monero alternative with stronger anonymity protection. Dero promises faster and greater monetary mining returns than Monero and other cryptocurrencies, which is why it has attracted the interest of threat actors. In a recent report by CrowdStrike, researchers detail how the ongoing campaign was found in February 2023, when monitoring customer Kubernetes clusters revealed strange behavior. According to the researchers, the attacks begin with threat actors scanning exposed, vulnerable Kubernetes clusters with "anonymous-auth=true" authentication settings, providing anonymous access to the Kubernetes API. After getting access to the API, the threat actors will deploy a DaemonSet named "proxy-api" that enables the attackers to simultaneously engage the resources of all nodes in the cluster and mine Dero with the available resources. The installed miners will be added to a Dero mining pool, where each participant contributes hashing power and receives a share of any earnings. Analysts at Crowdstrike have observed no purpose on the part of the threat actors to move laterally, disrupt cluster operations, steal data, or do additional damage. Therefore, the campaign appears to be purely financially motivated. This article continues to discuss the Dero cryptojacking operation. 

Bleeping Computer reports "First Known Dero Cryptojacking Operation Seen Targeting Kubernetes"