Kinsing's New Tactics for Initial Access to Kubernets Revealed

Use of vulnerable images

• A majority of images were vulnerable to remote code execution, allowing hackers to exploit the container and deploy malware.
• Kinsing targets servers having vulnerable versions of Liferay, WebLogic, WordPress, and PHPUnit, susceptible to remote code execution, to run malicious payloads.
• In a recent widespread campaign, the attackers were found scanning for open default WebLogic port 7001. When an exposed machine is detected, it executes a shell command to run the malware.

Abusing PostgreSQL misconfigurations

• One such misconfiguration is the trust authentication setting. To assign trust configuration, one requires to specify the accepted range of IP addresses eligible to connect to the machine. When the allowed range is wider or accepts the connections from any IP address (i.e. 0.0.0.0/0), attackers are able to connect to Postgres server without any authentication.
• Further, certain network configurations in Kubernetes are exposed to ARP poisoning. It allows attackers to impersonate apps in the cluster.
• Due to this, specifying a private IP address in the trust configuration poses a security risk.

A bit about the past

• Kinsing has a history of targeting containerized environments, usually abusing misconfigured open Docker daemon API ports, along with newly disclosed exploits to drop cryptocurrency miners.
• Moreover, the threat group was spotted making use of a rootkit to hide its existence. It further terminated and uninstalled the competing resource-intensive processes and services.

Conclusion