Description
A recent malware campaign saw the Kinsing malware successfully breaching Kubernetes clusters by leveraging vulnerabilities in container images and misconfigured PostgreSQL containers.
Summary
Security researchers from Microsoft Defender for cloud had recently discovered threat actors looking for specific entry points to infiltrate Kubernetes clusters and infect them with the Kinsing malware. The Kinsing is a Linux malware written in the Go language that was designed to target containerized environments for crypto mining. The threat actors using Kinsing are also known for exploiting commonly known vulnerabilities such as Log4Shell and of recently an Atlassian Confluence Remote control execution (RCE) exploit, tracked as CVE-2022-26134, to gain access and breach targets and establish persistence.
According to the researchers, the Kinsing threat actors can infiltrate Kubernetes with the use of two methods:
exploiting vulnerabilities in container images; and
exploiting misconfigured PostgreSQL servers.
As it relates to exploiting container image vulnerabilities, threat actors seek out any RCE exploits that can enable them to install their malware. More specifically, RCE vulnerabilities are looked for in the following applications: PHPUnit, Liferay, Oracle WebLogic and WordPress. For Oracle WebLogic, threat actors scan for the specific CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 vulnerabilities, all of which are RCE exploits affecting the product.
The threat actors also target certain misconfigurations in the PostgreSQL servers. The most common misconfiguration is the trust authentication setting, which basically instructs PostgreSQL to assume that anyone who can connect to the server is authorized to access the database with whatever database username they specify (even superuser names). Another misconfiguration involves using a broad IP address range and even if the IP access configurations are strict, Microsoft stated that Kubernetes is still prone to Address Resolution Protocol (ARP) poisoning where threat actors could spoof applications in the cluster to gain access to the server.
Remediation
Microsoft has related some ways to mitigate these problems and help protect yourself from this malware campaign. With regards to the container images, it is recommended to use the latest available versions of the image to be deployed and images should be sourced from official repositories and trustworthy sites. It is also recommended to minimize access to exposed containers by having an IP whitelist.
Specifically for the PostgreSQL configuration issues, check out the PostgreSQLs security webpage for security recommendations and measures to apply to those servers.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Microsoft Kubernetes targeted by Kinsing malware.pdf
References
Toulas, B. (2023, January 9). Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/
Bruskin, S. (2023, January 5). Initial access techniques in Kubernetes environments used by Kinsing malware. Retrieved from Microsoft Defender for cloud blog. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975