Detecting Crypto Miners in Kubeflow
Microsoft researchers documented attackers deploying the container image ddsfdfsaadfs/dfsdf:99
, which bundles the XMRig Monero miner, into internet-exposed Kubeflow clusters. Misconfigurations—especially open dashboards and weak authentication—make ML environments attractive targets.
Detection Checklist
- Inspect Running Pods:
kubectl get pods -A
followed bykubectl describe
/kubectl logs
to spot unfamiliar images or processes (e.g., XMRig). - Monitor Resource Usage:
kubectl top pods -A
highlights workloads with abnormal CPU or memory usage. - Analyze Network Traffic: Capture egress flows (VPC flow logs, eBPF, tcpdump) for connections to known mining pools.
- Audit Deployment Changes: Review
kubectl get deployments -A -o yaml
and controller logs for unauthorised edits or new namespaces.
Mitigation Steps
- Lock down Kubeflow dashboards and pipelines behind identity-aware proxies or VPNs.
- Enable Role-Based Access Control (RBAC) and namespace-level quotas to contain blast radius.
- Scan container images for known miners before deployment; enforce admission policies (OPA/Gatekeeper, Kyverno).
- Configure alerts on suspicious activity (unexpected images, escalated service accounts, network anomalies).
Reference
Reminder
Cloud security is a shared responsibility. Review organisational policies and coordinate with your security operations team before taking action in production clusters.