Free Consultation

Kubernetes Clusters Hacked: What You Need To Know

Contents

Summary Of The Attack

  • Kinsing malware targeting Kubernetes Clusters.
  • Two paths of exploitation were utilized: vulnerable images and misconfigured PostgreSQL servers.
  • The why of the attack is crypto mining and generating revenue.
  • Securing Kubernetes clusters is a tedious job that has to be done.
.

What Happened?

In order to get early access to Kubernetes setups, the threat actors behind the Kinsing Crypto Jacking operation have been seen taking advantage of unprotected and improperly configured PostgreSQL servers.

What Is Kinsing?

Kinsing is malware written in Golang, which is a high level programming language used for creating cloud native applications.

It is compiled using the Go 1.13.6 version.

This malware generally targets Linux environments mainly for cryptocurrency mining. Once installed on the victim’s environment and starts successfully running on the target, the goal becomes invading other PCs.

The Anatomy Of The Attack

The security researchers at Microsoft analyzed the attack and identified two attack paths were used.

The first attack path is establishing and enumerating the PostgreSQL servers that had configuration issues.

From there one of the most common misconfigurations that were being exploited is the “trust authentication” setting which allows PostgreSQL to make an assumption that any connection that is established towards the server is authorized to get database access.

In addition, if a security issue exists such that a broad range of IP addresses are being assigned then any IP address that the attacker may be using can be used to gain access to the server.

The second attack path is trying to exploit a security flaw in container images. In this particular scenario, the attackers are searching for a remote code execution vulnerability which will then allow them to push their payload and gain access to the server in that manner.

From what has been seen so far, the attackers are trying to find and exploit security flaws in these applications:

  • WordPress
  • Liferay
  • PHPUnit
  • Oracle WebLogic

Free IT Security Policies

Get a step ahead of your goals with our comprehensive templates.

Download Now
IT Security Policy Templates

Why Kinsing Malware?

The Kinsing malware already has a well full archive of exploiting containerized environments to mine cryptocurrencies. The main goal is to generate revenue for the threat actors by exploiting the victim server’s hardware resources.

Kinsing On PostgreSQL: Case Study

When researching this topic Sreeram Venkitesh came to mind. He elaborated on how he detected Kinsing and what he did to remove it from the server.

The lessons learned start with the indicators of compromise being suddenly shut down off the PostgreSQL database. Without any particular reason, the CPU cores were at 100% usage, and suddenly he couldn’t access the PostgreSQL.

The next step was process review where he detected Kinsing as the name of a process but figured out that it can’t be removed as it adds a cron job for self-replication.

The last part involved finding all processes and deleting them from the /tmp directory as well as deleting the cron jobs running.

This represents a case of successful Kinsing remediation.

How Can This Attack Be Prevented?

When it comes to mitigating the exploit path following the misconfigured SQL Servers, the best security practices include:

  • Removing trust authentication
  • Hardening the network access to the database
  • Removing default users and extensive permissions

On the other hand, securing the container images should include:

  • Using known registries for container’s images.
  • Scanning images for vulnerabilities regularly and keeping them all up to date.
  • Hardening the network access to the system.
  • Timely patching of services so vulnerable versions do not exist on your system.

In Kubernetes official documentation, they offer an extremely well written guide on protecting Kubernetes clusters.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Linkedin
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

AI Security

Cybersecurity Strategy

General Cybersecurity

Network Security

Penetration Testing

Ransomware

Recent Cyber Attacks

Small Business

Social Engineering

Vulnerability Management

Get the week’s best
cybersecurity content.

Sign Up

Related Breaches

PurpleSec

Get Secure Today.

Founded in 2019, PurpleSec is a veteran-owned cybersecurity company with a mission to help SMBs and startups affordably meet their security requirements.

Explore The Savings

Our Solutions

Virtual CISO

Defiance XDR

Social Engineering

Vulnerability Mgmt

Penetration Testing

Contact Us

Why PurpleSec?

About Us

Case Studies

How We Work

Our Leadership

Our Mission & Values

Linkedin Youtube Twitter

Learn With PurpleSec

Blog

Podcasts

Recent Cyber Attacks

Cybersecurity Insights

View All Resources