Container environments targeted by Kinsing malware attacks

Cybersecurity researchers at Aqua Security have identified a malware campaign that targets misconfigured open Docker Daemon API ports with thousands of attempts taking place daily. The researchers warn, “These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”  

​Using its virus analysis tools, Aqua Security identified the malware as a Golang-based Linux agent, known as Kinsing. The attacks have been going on for the past few months. ​The campaign aims to deploy a crypto miner on the compromised host. 

​The Aqua Security report provides a comprehensive analysis of the elements of the malware campaign, which stands out as a strong example of what the cybersecurity firm claims is “the growing threat to cloud-native environments.”

The attackers scan the internet for vulnerable Docker API ports to exploit, then once found, they run an Ubuntu container. Hackers configured the Ubuntu container to clear logs, remove other malware running on the same Docker instance, and disable security safeguards.

Before the malware deploys its payload, it attempts to connect with servers in Eastern Europe, the researchers say. A command-and-control (C&C) servers split the various functions required to manage the attacks. There are dedicated servers for each function that the malware will execute. 

Once these tasks have been completed, the Kinsing malware download begins on the compromised host. The malware downloads the spre.sh shell script used to spread the malware across the container network laterally. 

At the last stage of the attack, the malware runs a crypto-miner called kdevtmpfsi, which is a BTC “miner.” Transaction processors, aka miners, can be designed for many kinds of digital currencies, researchers said. The “miner” connects to a host with the 193.33.87.219 IP address using a login request over HTTP, receives further instructions, and starts mining digital currencies.

Researchers said the exploit attempts to continue infecting other parts of the cloud systems by using local SSH credentials it collects along the way. If successful, a shell script then places the digital currency processor on the infected host. This allows cybercriminals to test an extensive number of key combinations and user account possibilities, researchers added.

​The scope and ambitions reveal that the fraudulent BTC processing campaign is not just “an improvised endeavor” as the people behind it must rely on major infrastructure and resources. ​According to the researchers, the security issue continues to escalate as attackers continue to mount more sophisticated and ambitious attacks. 

To combat these efforts, enterprise security teams need to come up with robust strategies to mitigate these new risks. Among their recommendations, Aqua Security advises that organizations identify all cloud resources and organize them in a logical structure, review their authorization and authentication policies, and change necessary security policies according to the principle of “least privilege.” Teams should also investigate logs to locate user actions that register as anomalies, besides implementing cloud security tools to strengthen their strategy.

​Looking back on online security, Kinsing is not the only sophisticated attack that has made headlines recently. Recently, Guardicore Labs announced that it had identified a new malware strain that has been operating for up to two years.

​The firm identified Vollgar, a threat actor that mines Vollar, an altcoin variant. The firm explained that the malware targets Windows machines that run on the MS-SQL servers—computers which, according to its estimates, are only about 500,000 left worldwide.

​While these servers are rare, they have become notably recognized for the high processing power they provide, and the capacity to store valuable personal and financial information. Guardicore Labs explained that once Vollgar infects a server, it kills off the processes of other threat actors entirely, then it deploys multiple backdoors, crypto miners, and Remote Access Trojans.

​In March, Singapore-based unicorn startup Acronis released the results of its latest cybersecurity survey. The report revealed that 86% of IT professionals are concerned about cryptojacking—the industry term for the practice of using a computer’s processing power for processing digital currencies without user consent or knowledge.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.