Security researchers observed an attack campaign that targeted misconfigured Docker API ports with samples of Kinsing malware.

According to Aqua Security, the campaign began when it capitalized on an unprotected Docker API port to run a Ubuntu container.

The command used for creating the Ubuntu container included a shell script “d.sh.” By means of its 600+ lines of code, the shell script began by disabling security measures, clearing logs and disabling other malware and cryptominer samples. It’s then that the command killed rival malicious Docker containers before loading its Kinsing payload.

A Golang-based Linux agent, Kinsing relied upon another shell script “spre.sh” to passively collect data from “/.ssh/config, .bash_history, /.ssh/known_hosts.” Aqua Security found that the malware ultimately used this tactic to spread laterally throughout the network. As the security firm explained in its research:

Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network.

After spreading to as much of the container network as it could, Kinsing activated the last stage of the attack campaign by loading “kdevtmpfsi.” This threat first connected to its host at the IP address 193.33.87.219. It then began mining for cryptocurrency after receiving further instructions.

The Kinsing malware attack chain (Source: Aqua Security)

Acknowledging its analysis of the Kinsing malware attack chain described and illustrated above, Aqua Security recommends that organizations identify all of their cloud resources and group them together according to their business priorities. They should then review their authentication and authorization policies, security policies and adjust them accordingly as their environments continue to evolve.

In addition to the steps (Read more...)