Kinsing malware has been active in compromising Kubernetes clusters. It exploits known vulnerabilities in containers images and exposed PostgreSQL container configurations.
These tactics are not new, but Microsoft’s Defender for Cloud Team reports that they’ve seen an increase in recent months, which indicates that threat actors actively seek out entry points.
Kinsing, a Linux malware that targets containerized environments to mine crypto coins, has a track record of generating revenue from the attackers by using their hardware resources.
Kinsing’s threat actors are well-known for using known vulnerabilities such as and more recently an in order to break into targets and establish persistent.
Scanning for container image flaws
Microsoft claims that Kinsing operators used two different methods to get initial access to Linux servers. These were exploiting vulnerabilities in containers images and misconfigured PostgreSQL databases.
Threat actors seek remote code execution flaws to exploit image vulnerabilities and push their payloads.
Telemetry from Microsoft Defender for Cloud indicated that threat actors were trying to exploit the vulnerabilities of the following apps for their initial access.
- Oracle WebLogic
CVEs 2020-14882 and CVEs 2020-14750 are the vulnerabilities that hackers look for in WebLogic cases. These flaws can be used to remotely execute code, which could have a negative impact on Oracle’s products.
“Recently we discovered a large campaign of Kinsing which targeted vulnerable WebLogic servers,” reads from Microsoft security researcher Sunders Bruskin.
“Attacks begin with scanning a large range of IP addresses looking for open ports that match the WebLogic default port 7001.
This problem can be mitigated by using the most recent versions of images that you want to use and only getting them from trusted locations and official repositories.
Microsoft suggests that you limit access to containers exposed by following the least privilege principles and IP allow lists.
Microsoft security specialists noticed a second attack path that was being used to target misconfigured PostgreSQL server.
PostgreSQL assumes that anyone who is able to connect to the server can access the database. This is one of the most popular misconfigurations attackers use.
A second error is to assign an IP range too large, which includes any IP addresses that the attacker might be using to gain access to the server.
Microsoft claims Kubernetes can still be prone to ARP poisoning even though the IP access configuration has been strict. This means that attackers may spoof cluster apps to gain access.
For PostgreSQL configuration problems, refer to the . Then apply the suggested measures.
Microsoft claims that Defender for Cloud detects permissive settings on PostgreSQL containers, and helps administrators reduce the risk before hackers exploit them.
BigBinary’s Sreeram Venkitesh created about how Kinsing infected PostgreSQL administrators and the steps they took to remove it.