Cybersecurity firm CrowdStrike has identified the first ever cryptocurrency-jacking campaign targeting the privacy-focused cryptocurrency Dero. The operation has targeted US-based servers using Kubernetes infrastructure since February 2023.
While rewards for cryptojacking fell by between 50% and 90% in the 2022 crypto crash, Dero has continued to offer larger rewards to miners, making it a lucrative target for hackers.
The cryptocurrency’s privacy and anonymity features make it difficult to track funds in Dero wallets, and transactions cannot be followed in a way that reveals who sent or received coins.
The campaign operators find and target exposed Kubernetes clusters that can be accessed anonymously, along with non-standard ports that can be accessed from the internet.
Attackers can bypass authentication to deploy a Kubernetes DaemonSet, which in turn deploys a malicious pod on each node of the Kubernetes cluster. The mining efforts by the pods are contributed back to a community pool, which distributes the reward equally among its contributors through their digital wallet.
These attackers are only attempting to mine for Dero and are not trying to move laterally to attack other resources or scan the internet for discovery.
The attack flow of the Dero campaign is nearly identical to that of a Monero-focused campaign. Both campaigns are trying to find undiscovered Kubernetes attack surfaces, and are battling it out. The Monero campaign kicks out the DaemonSets used for Dero cryptojacking in the Kubernetes cluster before taking it over.
The Monero campaign deliberately deletes existing DaemonSets to disrupt the Dero campaign before taking over the cluster and using the deployed resources for its own purposes. The fact that these campaigns are battling each other for control of vulnerable servers highlights the ongoing evolution of cryptojacking tactics.
