A hacking campaign is targeting Kubernetes environments using misconfigured Argo Workflows to deploy cryptominers. Argo Workflows is an open source application that defines a sequence of tasks in Kubernetes, one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.

The flaw arises from a misconfiguration vulnerability in Agro Workflows that gives threat actors the ability to run unauthorized code on the victim’s environment. Attackers are exploiting the flaw to deploy XMRig to mine for monero cryptocurrency. Researchers identified one attack in the wild involving a Kubernetes cluster that’s been running for the past nine months.

“In instances when permissions are misconfigured, it is possible for an attacker to access an open Argo dashboard and submit their own workflow. In one cluster, we noticed that a popular cryptocurrency mining container, kannix/monero-miner, was being deployed,” the report notes. “Its ease of use allowed it to be conveniently used by threat actors of any skill level to conduct cryptojacking; since all that was required was to change the address of who the mined cryptocurrency would be deposited.

Researchers were able to identify several unprotected Agro Workflows nodes, a potential compromise of the system could have a far-reaching impact on Kubernetes users as it can leak a host of sensitive information.

While studying the impact of exposed Argo Workflows instances, discovered a number of unprotected instances, operated by companies in several industries including technology, finance and logistics. Exposed instances can contain sensitive information such as code, credentials and private container image names.

Kubernetes, which is developed and backed by Google, has been extensively targeted by threat actors as part of cryptojacking and other malicious campaigns.

TeamTNT and Siloscope actively targetted Kubernetes in the past.