Kinsing Malware Uses Unique Techniques to Breach Kubernetes

By exploiting vulnerabilities in container images and misconfigured PostgreSQL containers, Kinsing malware is now actively infiltrating Kubernetes clusters.

Threat actors are not unusual in using these tactics, but it appears that the past week has seen an uptick in the number of threats. It is evident from this that threat actors are actively seeking access points to the cloud in order to launch attacks on the system.

In terms of malware, Kinsing has a history of targeting systems that are containerized for cryptomining, which makes it an ideal choice for threat actors. As a result, threat actors are able to generate revenue by using the expensive hardware resources from the breached server.

An Atlassian Confluence RCE was also exploited in 2012 by the threat actors behind Kinsing for the purpose of establishing persistence on targets, something that has been on the rise recently following the discovery of a Log4Shell vulnerability as well.


Methods that are exploited are:-

  • Method 1: Vulnerable images
  • Method 2: Exploitation of weakly configured PostgreSQL

Finding Container Image Flaws

A number of images have been detected frequently infected with Kinsing malware through Microsoft’s threat-hunting activity.

An attacker with network access was able to exploit many of those images and run their malicious payload from inside the container, as those images were vulnerable to RCE (Remote Code Execution).

It has been noted by Microsoft that Kinsing operators are increasingly using two methods to gain access to Linux servers. The exploit involves exploiting vulnerabilities found in the container images or the PostgreSQL database servers that have been misconfigured.

The following are some examples of vulnerable applications that have been exploited by malicious actors:-

  • PHPUnit
  • Liferay
  • WebLogic
  • WordPress

It was revealed in 2020 that Oracle was prone to a number of high-severity vulnerabilities, which can be exploited remotely by hackers, and here they are mentioned below:-

In the initial stage of an attack, a wide range of IP addresses are scanned to determine if a port matching the default port (7001) of WebLogic is open.

One must edit the pg_hba.conf file in order to assign trust configuration to a specific IP address. The following line needs to be added:-

  • “Host     all           all           [IP_Address/range]        trust”

There is a risk that the cluster will come under attack from external sources if it is exposed to the Internet without proper security measures. Moreover, attackers may exploit known vulnerabilities in images to gain access to the cluster.

Exposures and vulnerable images must be identified and mitigated by security teams before they are compromised. 

If a company wishes to protect itself as much as possible against security breaches and risky exposures, regularly updating images and secure configurations can prove to be a game changer.

Using the latest versions of images is one of the easiest and quickest ways to mitigate this problem. It is also recommended that users download these images from official repositories and trusted sources.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Source link