The Kinsing malware threat group has adopted several new strategies for acquiring initial access against their targeted network. These operators are notorious for executing cryptojacking campaigns by targeting the 1infrastructure.
Based on reports, the Kinsing actors use several methods for initial access—the first targets flawed software images, and the other marks misconfigurations in PostgreSQL.
The malware operators have used multiple container images that Kinsing compromised. These compromised image containers are prone to RCE, which enables attackers to abuse the image and deploy malware.
Kinsing eyes the flawed versions of WordPress, WebLogic, PHPUnit, and Liferay since they are sensitive to RCE and operate malicious payloads.
In a recent attack, the threat actors searched the internet for an open default WebLogic port 7001. The vulnerable device could execute a shell command and run malware.
The Kinsing malware operators also exploit the PostgreSQL misconfigurations.
Analysts explained that the Kinsing malware operators target the misconfigured PostgreSQL servers. The threat actors could connect to the Postgres server without any authentication if they could connect to the IP address accepted by the targeted machine.
In addition, a few of the network configurations in Kubernetes are prone to ARP poisoning. Hence, it enables the threat actors to spoof applications in the cluster. This attack has also impacted the feature of specifying a private IP address in the trust configuration since it poses a massive security risk.
The group always has a reputation for trying multiple tactics for their attacks. This reputation has further increased as the group targets containerised environments that commonly abuse misconfigured open Docker daemon API ports.
Furthermore, these attacks have allowed the actors to run a newly discovered exploit that could launch its cryptocurrency miners.
These new campaigns from the Kinsing malware operators exposed the real threat of exploiting clusters on the internet, especially those without competent security protocols. Therefore, administrators should regularly update images and use secured configurations when setting up their service.
Admins should operate regular audits of the exposed infrastructures to mitigate any exploitations from malicious entities.
