It was recently discovered by the researchers on Palo Alto Networks’ Unit 42 team that a new strain of malware, named Hildegaard, would lead to imminent cyber-attacks against Kubernetes clusters orchestrated by the cloud-centric TeamTNT cybercrime gang.
The first malware was apparently found back in January 2021, with its infrastructure existing online for a bit longer than that. Unit 42 reported that in the initial incident, the malware gained access via a misconfigured kubelet that allowed anonymous access before attempting to spread over multiple containers to launch cryptojacking operations.
This leads to draining system resources, causing a denial of service, and disrupting the applications running in the compromised cluster. The group is then able to leverage many computing resources in Kubernetes environments for cryptojacking and exfiltrate sensitive data from thousands of applications running in the clusters.
There hasn’t been any activity since then but it is suspected that an imminent larger-scale attack could be in the works.
It was also reported that this was the first time that the group targeted Kubernetes environments and their new malware seems then to carry new features making it stealthier and more persistent.
Hence, this malware campaign is described as one of the most complicated attacks targeting Kubernetes, with very powerful malware. The threat actors have developed more sophisticated tactics for initial access, execution, defense evasion, and C2.