- Linux devices are being targeted by the well-known spyware Kinsing in order to steal cryptocurrency.
- There are two types of attacks usually used in real-life cyberattacks that can be avoided with multiple methods.
- The two attacks hackers utilize with Kinsing in Kubernetes clusters are finding a vulnerability in images as well as exploiting poorly configured PostgreSQL.
Kinsing is well-known spyware that targets Linux systems to steal cryptocurrency. Kinsing is a popular tool in Kubernetes clusters because it employs several distinctive strategies for settings like these. Sunders Bruskin, a Security Researcher of Microsoft Defender for Cloud published an article talking about Kinsing, specifically the initial access techniques in Kubernetes environments. He includes the ways in which Kinsing exploits weaknesses:
Methods of exploitation
Method 1: finding a vulnerability in images
Many images have remote code execution flaws that may be exploited by attackers with network access to launch their attacks. These are a few instances of programs that were abused and had vulnerable versions:
- PHPUnit
- Liferay
- Oracle WebLogic
- WordPress
Oracle released advisories about several high-severity vulnerabilities in 2020 that allowed remote code execution (CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883). To exploit these vulnerabilities, hackers start with searching a large number of IP addresses for an open port that corresponds to the WebLogic default port (7001). If there is a vulnerability detected, hackers can use it to launch their malicious payload, such as Kinsing. Bruskin says:
«Recently, we identified a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers. »
To avoid this move, use the most recent versions of the images and only trust images from official repositories.
Method 2: Exploiting poorly configured PostgreSQL
Using the ‘trust authentication’ setting is the first misconfiguration. the official PostgreSQL website states:
« When trust authentication is specified, PostgreSQL assumes that anyone who can connect to the server is authorized to access the database with whatever database user name they specify (even superuser names) »
Allowing access to a broad variety of IP addresses puts the PostgreSQL container at risk. To avoid being caught off guard by this method you can use Microsoft Defender for Cloud.
Exploiting weak images and taking advantage of excessive Internet exposure are two methods that hackers use in real-life cyberattacks on Kubernetes clusters. Without adequate security measures, users’ services and machines might be vulnerable to assault from outsiders. If a firm wants to be as safe as possible against security breaches, it’s very important to periodically update its software, and secure configurations.
