The threat actors driving the Kinsing cryptojacking operation have been seen taking use of unprotected and improperly configured PostgreSQL servers in order to get early access to Kubernetes setups. According to a report published last week by Sunders Bruskin, a security researcher at Microsoft Defender for Cloud, a second initial access vector strategy involves the exploitation of flawed images.
Kinsing has a long history of attacking containerized systems, frequently employing open Docker daemon API ports that have been misconfigured, as well as making use of recently discovered flaws to install cryptocurrency mining software. The threat actor has already been found terminating and uninstalling rival resource-intensive services and processes and using a rootkit to mask its existence. The threat actors behind Kinsing are notorious for penetrating targets and establishing persistence by exploiting known vulnerabilities like Log4Shell and, more recently, an Atlassian Confluence RCE.
Microsoft claims that the Kinsing actor has now used PostgreSQL servers’ misconfigurations to establish a foothold, and the firm has seen a “large amount of clusters” infected in this way. The misconfiguration concerns a trust authentication setting, which, if configured to permit connections from any IP address, might be used to connect to the servers without any authentication and result in code execution.
“In general, allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat,” explained Bruskin.
The alternate attack vector targets servers running vulnerable versions of PHPUnit, Liferay, WebLogic, and WordPress in order to execute malicious payloads. Furthermore, in a recent “widespread campaign,” the attackers searched for open default WebLogic port 7001 and, if any were identified, launched the malware via a shell command.
According to Bruskin, exposing the cluster to the Internet leaves it vulnerable to assault from outside sources without adequate security measures. Additionally, attackers can access the cluster by exploiting known flaws in images.