Detecting Crypto Miners in Kubeflow

Microsoft researchers documented attackers deploying the container image ddsfdfsaadfs/dfsdf:99, which bundles the XMRig Monero miner, into internet-exposed Kubeflow clusters. Misconfigurations—especially open dashboards and weak authentication—make ML environments attractive targets.

Detection Checklist

  • Inspect Running Pods: kubectl get pods -A followed by kubectl describe/kubectl logs to spot unfamiliar images or processes (e.g., XMRig).
  • Monitor Resource Usage: kubectl top pods -A highlights workloads with abnormal CPU or memory usage.
  • Analyze Network Traffic: Capture egress flows (VPC flow logs, eBPF, tcpdump) for connections to known mining pools.
  • Audit Deployment Changes: Review kubectl get deployments -A -o yaml and controller logs for unauthorised edits or new namespaces.

Mitigation Steps

  1. Lock down Kubeflow dashboards and pipelines behind identity-aware proxies or VPNs.
  2. Enable Role-Based Access Control (RBAC) and namespace-level quotas to contain blast radius.
  3. Scan container images for known miners before deployment; enforce admission policies (OPA/Gatekeeper, Kyverno).
  4. Configure alerts on suspicious activity (unexpected images, escalated service accounts, network anomalies).

Reference

Reminder

Cloud security is a shared responsibility. Review organisational policies and coordinate with your security operations team before taking action in production clusters.