Kubernetes RBAC Buster Campaign Hijacks 60 Clusters for Crypto Mining

Cryptocurrency mining campaigns have found a powerful new ally in cloud infrastructure vulnerabilities. On April 21, 2023, Aqua Security’s Nautilus research team disclosed a large-scale attack campaign dubbed RBAC Buster that exploited Kubernetes Role-Based Access Control mechanisms to hijack at least 60 misconfigured clusters for Monero cryptocurrency mining. With Bitcoin trading around $27,277 and Ethereum at $1,850, the economic incentive for cryptojacking remains enormous, and this campaign demonstrates how sophisticated the attacks have become.

The Exploit Mechanics

The RBAC Buster campaign operates through a multi-stage attack chain that begins with exploiting misconfigured Kubernetes API servers that permit unauthenticated access from anonymous users. Once initial access is obtained, the attacker sends HTTP requests to enumerate secrets and gather cluster intelligence by listing entities in the kube-system namespace. The threat actors deliberately check whether the target has already been compromised — either by their own campaign under the name kube-controller or by rival cybercriminals. If competing malware is found, the attackers remove it to monopolize the cluster’s resources.

The persistence mechanism is particularly concerning. The attackers create a new ClusterRole with near-admin-level privileges and a ServiceAccount named kube-controller within the kube-system namespace. They then establish a ClusterRoleBinding called system:controller:kube-controller that ties these together. This naming convention deliberately mimics a legitimate Kubernetes daemon, making it blend into standard logs and evading detection by overwhelmed operations teams. The binding ensures that even if anonymous user access is later disabled, the attacker retains persistent control over the cluster.

Affected Systems

The campaign primarily targets Kubernetes clusters with exposed APIs and leaked access keys. Aqua Security’s honeypots, which were purposely misconfigured to attract attackers, captured the full attack lifecycle. The researchers noted that the malicious container image kuberntesio/kube-controller — a typosquatting variant of the legitimate kubernetesio account — had been pulled more than 14,000 times from Docker Hub over five months, indicating widespread deployment. The typo in the username is subtle enough to escape casual inspection.

When Aqua Security examined the attacker’s Monero wallet configuration, they found approximately 5 XMR already mined, with the potential to generate roughly $200 per worker per year. While individual node earnings appear modest, the scale of 60 or more compromised clusters running mining operations simultaneously translates into significant aggregate revenue for the attacker at minimal cost.

The Mitigation Strategy

Organizations running Kubernetes clusters should immediately audit their API server configurations to ensure anonymous authentication is disabled. The attack relies fundamentally on misconfigured clusters that expose APIs without proper authentication. Administrators should review all ClusterRoles and ClusterRoleBindings, particularly those with names similar to system components, and verify that each binding corresponds to a legitimate operational requirement.

Container image provenance is equally critical. Teams should implement image allowlisting policies that restrict deployments to trusted registries and validate image signatures. The typosquatting technique used in this campaign — uploading malicious images with names resembling official Kubernetes components — can be neutralized by enforcing strict image sourcing policies and regularly scanning deployed containers against known threat intelligence feeds.

Lessons Learned

The RBAC Buster campaign exposes a fundamental tension in cloud-native infrastructure: the complexity of Kubernetes security configurations creates fertile ground for exploitation. The fact that a single misconfiguration — allowing anonymous API access — can cascade into persistent cluster compromise, resource theft, and potential data exposure highlights the need for defense-in-depth approaches. Security teams must treat infrastructure-as-code templates with the same rigor as application code, implementing automated policy enforcement that prevents dangerous configurations from reaching production environments.

For the cryptocurrency ecosystem specifically, this attack underscores that threats extend far beyond smart contract exploits and exchange hacks. Any infrastructure supporting crypto operations — from mining pools to exchange backends to DeFi protocol nodes — can become a target for resource hijacking. As the crypto market maintains valuations above $1.2 trillion in total capitalization, the economic motivation for these attacks will only intensify.

User Action Required

Platform operators and DevOps teams should conduct immediate reviews of their Kubernetes environments. Disable anonymous authentication on all API servers, implement network policies that restrict pod-to-pod communication to only what is necessary, and deploy runtime security tools that can detect cryptomining processes within containers. Additionally, consider using admission controllers that block deployments from untrusted registries. The cryptocurrency community must recognize that infrastructure security is inseparable from asset security in the modern threat landscape.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for specific security assessments.