The Kinsing malware is currently actively attacking Kubernetes. By exploiting known vulnerabilities in container images and misconfigured, Kinsing malware clusters exposed PostgreSQL containers. These tactics may not be new. But Microsoft’s Defender for Cloud team has recently noticed an increase in usage. It suggests that the threat actors are actively searching for specific entry points. Kinsing is a Linux malware with a history of targeting containerized environments for cryptocurrency mining. It uses the compromised server’s hardware resources to generate revenue for the threat actors.

The Kinsing threat actors have a history of exploiting known vulnerabilities. It includes Log4Shell and the Atlassian Confluence RCE, to infiltrate targeted systems and establish a lasting presence. These cybercriminals actively seek out and utilize vulnerabilities to gain unauthorized access and maintain control within victim networks. Their use of known vulnerabilities allows them to quickly and effectively breach their targets. It makes them a significant threat to organizations.

Scanning for container image flaws

Microsoft reports increasing Kinsing operators using two methods to gain initial access to Linux servers. These methods include exploiting vulnerabilities in container images and misconfigured PostgreSQL database servers. Threat actors often search for remote code execution flaws to deliver their payloads through image vulnerabilities. Microsoft Defender for Cloud telemetry shows that the hackers are targeting vulnerabilities in PHPUnit, Liferay, Oracle WebLogic, and WordPress for initial access. In particular, the hackers are scanning for specific remote code execution flaws in WebLogic, including CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883. Microsoft security researcher Sunders Bruskin notes that the attacks start with the hackers scanning a range of IP addresses for open ports. They match the WebLogic default port (7001). To prevent these issues, Microsoft recommends using the latest versions of images from official repositories. Also minimizing access to exposed containers through the use of IP allow lists and least privilege principles.

What Security experts have to say about Kubernetes cluster hack?

Microsoft’s security experts observed two initial attack pathways. The first was the targeting of misconfigured PostgreSQL servers. One common misconfiguration exploited by attackers is the “trust authentication” setting. It allows PostgreSQL to assume that any connection to the server is authorized to access the database. Another mistake is assigning a range of IP addresses that is too broad. It includes any IP address the attacker may be using to gain access to the server. Even if the IP access configuration is strict, Kubernetes can still be vulnerable to ARP (Address Resolution Protocol) poisoning. It allows attackers to spoof apps in the cluster to gain access.

What could be done?

To prevent these PostgreSQL configuration issues, administrators should consult the project’s security recommendations webpage and apply the suggested measures. Defender for Cloud can also detect permissive settings and misconfigurations on PostgreSQL containers. It helps administrators mitigate the risks before hackers exploit them if a PostgreSQL server becomes infected with Kinsing; Sreeram Venkitesh has written an article on how to identify and remove the malware.