Kinsing malware operators are exploiting the security vulnerabilities in the WebLogic Server to expand their attack scope and rapidly multiply their crypto miners.
According to researchers, the Kinsing operators are extremely financially motivated in each attack. They were recently seen abusing a particular flaw to deploy Python scripts to deactivate several OS service agents and security solutions.
The most recent cybercriminal campaign from the operators is the recent attacks that weaponise a flaw tracked as CVE-2020-14882. This vulnerability is a couple-year-old Remote Code Execution (RCE) flaw that could abuse outdated and unpatched servers to take over and drop malware.
Moreover, hackers drop a shell script responsible for a chain of events such as disabling security functions, like the Security-Enhanced Linux and cloud service agents from Alibaba and Tencent.
Subsequently, the shell script is utilised by the unknown threat actors to download the Kinsing malware from a remote server. Today, the script could establish persistence on the infected system by executing a cron job.
The Kinsing malware operators could also utilise Application Programming Interfaces (APIs) for their attacks.
Several analysts noted that the Kinsing malware operators had targeted container environments with poorly configured open Docker Daemon Application Programming Interface (API) ports.
The malware operators were then observed by a separate researcher deploying a cryptocurrency miner while distributing the malware to other containers and hosts.
Exploiting the earlier mentioned flaws in RCE enables several other malicious activities on infected systems. These activities range from malware execution to total device takeover. Unfortunately, other botnet operators have already abused the reported flaw to deploy the Tsunami backdoor and Monero cryptominers on compromised Linux systems.
The latest exploit of Docker APIs and WebLogic Servers’ critical vulnerabilities shows that the threat actors have been attracted to it for crypto mining attacks. Cybersecurity experts recommend that organisations configure the exposed REST API with TLS to obstruct adversary-in-the-middle (AiTM) attacks.
Researchers urge organisations to use credential helpers and stores to keep user credentials.
