Privacy Coin Dero Becomes Prime Target for Illicit Crypto Miners

Illicit crypto miners have discovered a new favorite cryptocurrency for their hacking activities: privacy-focused coin Dero. CrowdStrike, a cybersecurity firm, reported that Dero offers larger rewards and advanced anonymity features, making it a perfect match for attackers seeking an illicit payday.

The crypto crash of 2022 reduced the rewards of cryptojacking by between 50% and 90%. However, Dero has remained lucrative for cybercriminals. CrowdStrike has identified the first-ever detected Dero cryptojacking operation, which has targeted Kubernetes infrastructure on three U.S.-based servers since February.

According to Manoj Ahuje, senior threat researcher for cloud security at CrowdStrike, cryptojacking is always evolving as adversaries learn to monetize new cryptocurrencies and find weaknesses in various attack surfaces. More than 4,000 miner instances may have been deployed during this campaign.

Attackers target exposed Kubernetes clusters that can be accessed anonymously through the application programming interface (API) and nonstandard ports accessible from the internet. Threat actors can bypass authentication by exploiting a user with sufficient privilege who unintentionally exposes a secure Kubernetes API on the host. The attacker then deploys a Kubernetes DaemonSet, which deploys a malicious pod on each node of the Kubernetes cluster, allowing the attacker to engage resources of all nodes simultaneously.

Tracking funds in Dero wallets is difficult due to the cryptocurrency’s privacy and anonymity features. Dero uses a directed acyclic graph structure instead of chronological blocks of transactions, making it impossible to trace transactions in a way that reveals the sender or receiver of coins.