Operators behind Kinsing malware are taking advantage of security flaws in the WebLogic Server. They are abusing these flaws to propagate cryptocurrency miners.
Abusing WebLogic server flaws
Trend Micro spotted financially-motivated Kinsing abusing a flaw to drop Python scripts to disable OS security features and service agents.
The recent attacks weaponized two years back revealed a flaw, CVE-2020-14882, a two-year-old RCE flaw by abusing unpatched servers to take control of the server and drop malware.
Hackers drop a shell script responsible for a series of actions such as disabling security features, such as Security-Enhanced Linux (SELinux) and cloud service agents from Tencent and Alibaba.
The shell script is used to download the Kinsing malware from a remote server. At the same time, the script establishes persistence on the infected system by using a cron job.
Docker API on the target
Hackers target container environments via misconfigured open Docker Daemon API ports.
The operators were seen launching a cryptominer and at the same time spreading the malware to other hosts and containers.
The successful exploitation of the flaw leads to RCE, allowing various malicious activities on infected systems, such as malware execution, data exposure, and taking over full control of a machine.
Kinsing operators are known for scanning vulnerable servers to add them to their botnet network. The reported vulnerability has been exploited in the past by other botnets to drop Monero miners and the Tsunami backdoor on infected Linux systems.
The recent abuse of WebLogic Servers and Docker APIs flaws highlights the growing interest of attackers in cryptomining. Security experts suggest organizations configure the exposed REST API with TLS to stop AiTM attacks. Further, use credential helpers and stores to host user credentials.