Kinsing malware operators, known for cryptojacking operations by targeting Kubernetes environments, have been found employing various techniques for gaining initial access to the target network.
According to Microsoft, Kinsing is using two key methods for initial access: targeting vulnerable software images and misconfigurations in PostgreSQL.
Use of vulnerable images
Experts have observed multiple container images that were frequently infected with Kinsing malware.
A majority of images were vulnerable to remote code execution, allowing hackers to exploit the container and deploy malware.
Kinsing targets servers having vulnerable versions of Liferay, WebLogic, WordPress, and PHPUnit, susceptible to remote code execution, to run malicious payloads.
In a recent widespread campaign, the attackers were found scanning for open default WebLogic port 7001. When an exposed machine is detected, it executes a shell command to run the malware.
Abusing PostgreSQL misconfigurations
The second method involves abusing misconfigured and exposed PostgreSQL servers.
One such misconfiguration is the trust authentication setting. To assign trust configuration, one requires to specify the accepted range of IP addresses eligible to connect to the machine. When the allowed range is wider or accepts the connections from any IP address (i.e. 0.0.0.0/0), attackers are able to connect to Postgres server without any authentication.
Further, certain network configurations in Kubernetes are exposed to ARP poisoning. It allows attackers to impersonate apps in the cluster.
Due to this, specifying a private IP address in the trust configuration poses a security risk.
A bit about the past
In the past, the group was observed using different tactics for its attacks.
Kinsing has a history of targeting containerized environments, usually abusing misconfigured open Docker daemon API ports, along with newly disclosed exploits to drop cryptocurrency miners.
Moreover, the threat group was spotted making use of a rootkit to hide its existence. It further terminated and uninstalled the competing resource-intensive processes and services.
Conclusion
This report shows how exposing clusters to the internet without proper security measures leads to security risk. Therefore, admins are recommended to take caution, by regularly updating images and using secure configurations when setting up these services. Moreover, regular audits of the exposed infrastructure can help avoid several risks.