Kinsing Operators Target WebLogic Servers and Docker APIs for Cryptomining

Abusing WebLogic server flaws

• The recent attacks weaponized two years back revealed a flaw, CVE-2020-14882, a two-year-old RCE flaw by abusing unpatched servers to take control of the server and drop malware.
• Hackers drop a shell script responsible for a series of actions such as disabling security features, such as Security-Enhanced Linux (SELinux) and cloud service agents from Tencent and Alibaba.
• The shell script is used to download the Kinsing malware from a remote server. At the same time, the script establishes persistence on the infected system by using a cron job.

Docker API on the target

• Hackers target container environments via misconfigured open Docker Daemon API ports.
• The operators were seen launching a cryptominer and at the same time spreading the malware to other hosts and containers.

More info

• The successful exploitation of the flaw leads to RCE, allowing various malicious activities on infected systems, such as malware execution, data exposure, and taking over full control of a machine.
• Kinsing operators are known for scanning vulnerable servers to add them to their botnet network. The reported vulnerability has been exploited in the past by other botnets to drop Monero miners and the Tsunami backdoor on infected Linux systems.

Conclusion