Kinsing cryptojacking.
the cyberwire logoJan 11, 2023

With great power comes great responsibility.

Kinsing cryptojacking.

Microsoft describes the initial access techniques used by the Kinsing cryptojacking malware to target Kubernetes instances. Microsoft explains that the two most common tactics used by Kinsing to gain initial access are “[e]xploitation of weakly configured PostgreSQL containers and exploiting vulnerable images.”

Vulnerable images.

Kinsing attackers search for applications with container images that are vulnerable to remote code execution. Applications that were exploited by this method include PHPUnit, Liferay, WebLogic, Wordpress. Microsoft offers the following advice to defend against these attacks:

“The first thing to note when deploying an image to the container is that it is an image from a known registry and it is patched with the latest version.

“Also, scan all images for vulnerabilities to identify which ones are vulnerable and what the vulnerabilities are, especially the ones that are used in exposed containers.

“It is also possible to mitigate the risk by minimizing access to the container, assigning access to specific IPs and applying the least privileges rule to the user.”

PostgreSQL misconfigurations.

Kinsing operators also exploit various PostgreSQL misconfigurations to deploy their malware. These include a lax ‘trust authentication’ setting which allows anyone to connect to a database. Some servers are also vulnerable to ARP poisoning.

Microsoft states, “In general, allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat. Even if the unsecured ‘trust’ authentication method isn’t used, and other methods are used instead, it can open attackers to several options such as brute force on the Postgresql accounts, attacking the container availability with DoS and DDoS attacks, and trying to exploit the container and the DB itself.”

Industry comments.

Henning Horst, Chief Technology Officer at comforte AG, notes that will the great power of Kubernetes comes the great responsibility of securing it (but securing Kubernetes isn't all that hard):

“Kubernetes is extremely powerful and a new foundation of IT strategy, but not immune from malware, vulnerability and exploitation. What’s concerning is that, for the most part, the data security capabilities built into Kubernetes meet bare minimum standards – data at rest protection and data in motion. There’s no persistent protection of data itself, for example, using industry-accepted techniques like field-level tokenization. So if an ecosystem is compromised because of a vulnerability, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack. In the last 2 years, Kubernetes vulnerabilities related to privilege escalation, firewall gaps, and remote code execution in Kubernetes tools certainly show it’s vulnerable. The good news is that highly effective techniques like stateless data tokenization are also available for cloud-native/Kubernetes ecosystems today and are ready to mitigate threats while letting enterprises get on with digital transformation at full throttle without breach risks getting in the way.”

Paul Bischoff, privacy advocate at Comparitech, says that attacks on misconfigured databases are no rarity:

“Attackers targeting misconfigured databases is surprisingly common. If a database is accessible from the public internet, then there's a strong chance that attackers can find it using specialized search engines like Shodan and Censys. Often the goal is to steal data or plant ransomware, but in Kinsing's case, the purpose is to install malware that mines cryptocurrency for the attacker using the victim's resources. For the victim, the result is diminished performance and higher usage bills.”