Microsoft Azure Machine Learning Clusters Cryptojacked to Mine Monero

Microsoft announced on June 10 that it had discovered a number of cryptojacking attacks on powerful machine-learning clusters on its Azure cloud computing network.

In a blog-post, the company said that some customers had misconfigured nodes, allowing attackers to hijack them to mine the privacy-focused cryptocurrency Monero (XMR).

Default settings overridden

Microsoft said that it had discovered tens of clusters affected by the attack, which targets a machine learning toolkit, Kubeflow, for the open-source Kubernetes platform.

By default the dashboard to control Kubeflow is only accessible internally from the node, so users need to use port-forwarding to tunnel in via the Kubernetes API. However, some users had modified this, potentially for convenience, directly exposing the dashboard to the internet.

With access to the dashboard, attackers had a number of available vectors through which to compromise the system.

Once the shield is down, attack

One possibility is to set up or modify a Jupyter notebook server in the cluster with a malicious image.

The Azure Security Center team discovered a suspect image from a public repository on a number of machine learning clusters.

Through investigating the layers of the image, the team realized that it ran an XMRig miner, to surreptitiously use the node to mine Monero.

Machine learning clusters are relatively powerful and sometimes contain GPUs, making them an ideal target for cryptojackers.

As Cointelegraph reported, cybersecurity firm Sophos recently revealed that attackers had breached vulnerable Microsoft SQL Server databases to install the same XMRig software which mines Monero.