Previous
Learn about PurpleSec’s fully managed vulnerability management services.
Author: Eva Georgieva / Last Updated: 01/13/2022
Reviewed By: Dalibor Gašić
View Our: Editorial Process
Table Of Contents
In order to get early access to Kubernetes setups, the threat actors behind the Kinsing Crypto Jacking operation have been seen taking advantage of unprotected and improperly configured PostgreSQL servers.
Kinsing is malware written in Golang, which is a high level programming language used for creating cloud native applications.
It is compiled using the Go 1.13.6 version.
This malware generally targets Linux environments mainly for cryptocurrency mining. Once installed on the victim’s environment and starts successfully running on the target, the goal becomes invading other PCs.
The security researchers at Microsoft analyzed the attack and identified two attack paths were used.
The first attack path is establishing and enumerating the PostgreSQL servers that had configuration issues.
From there one of the most common misconfigurations that were being exploited is the “trust authentication” setting which allows PostgreSQL to make an assumption that any connection that is established towards the server is authorized to get database access.
In addition, if a security issue exists such that a broad range of IP addresses are being assigned then any IP address that the attacker may be using can be used to gain access to the server.
The second attack path is trying to exploit a security flaw in container images.
In this particular scenario, the attackers are searching for a remote code execution vulnerability which will then allow them to push their payload and gain access to the server in that manner.
From what has been seen so far, the attackers are trying to find and exploit security flaws in these applications:
The Kinsing malware already has a well full archive of exploiting containerized environments to mine cryptocurrencies. The main goal is to generate revenue for the threat actors by exploiting the victim server’s hardware resources.
When researching this topic Sreeram Venkitesh came to mind. He elaborated on how he detected Kinsing and what he did to remove it from the server.
The lessons learned start with the indicators of compromise being suddenly shut down off the PostgreSQL database. Without any particular reason, the CPU cores were at 100% usage, and suddenly he couldn’t access the PostgreSQL.
The next step was process review where he detected Kinsing as a name of a process, but figured out that it can’t be removed as it adds a cron job for self-replication.
The last part involved finding all processes and deleting them from the /tmp directory as well as deleting the cron jobs running.
This represents a case of successful Kinsing remediation.
When it comes to mitigating the exploit path following the misconfigured SQL Servers, the best security practices include:
On the other hand, securing the container images should include:
In Kubernetes official documentation, they offer an extremely well written guide on protecting Kubernetes clusters.
Related Articles:
Eva is a security engineer, researcher, and penetration tester with over 5 years of experience working on both red teams and blue teams.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks