Detecting Crypto Miners in Kubeflow

• 13/6/2020
• One-minute read

Microsoft researchers documented attackers deploying the container image ddsfdfsaadfs/dfsdf:99, which bundles the XMRig Monero miner, into internet-exposed Kubeflow clusters. Misconfigurations—especially open dashboards and weak authentication—make ML environments attractive targets.

Detection Checklist

• Inspect Running Pods: kubectl get pods -A followed by kubectl describe/kubectl logs to spot unfamiliar images or processes (e.g., XMRig).
• Monitor Resource Usage: kubectl top pods -A highlights workloads with abnormal CPU or memory usage.
• Analyze Network Traffic: Capture egress flows (VPC flow logs, eBPF, tcpdump) for connections to known mining pools.
• Audit Deployment Changes: Review kubectl get deployments -A -o yaml and controller logs for unauthorised edits or new namespaces.

Mitigation Steps

1. Lock down Kubeflow dashboards and pipelines behind identity-aware proxies or VPNs.
2. Enable Role-Based Access Control (RBAC) and namespace-level quotas to contain blast radius.
3. Scan container images for known miners before deployment; enforce admission policies (OPA/Gatekeeper, Kyverno).
4. Configure alerts on suspicious activity (unexpected images, escalated service accounts, network anomalies).

Reference

• Microsoft Security Blog: Misconfigured Kubeflow Workloads Are a Security Risk

Reminder

Cloud security is a shared responsibility. Review organisational policies and coordinate with your security operations team before taking action in production clusters.