Microsoft’s cybersecurity researchers have revealed it spotted an uptick in the deployment of the Kinsing malware (opens in new tab) on Linux servers.
As per the company’s report (opens in new tab), the attackers are leveraging Log4Shell and Atlassian Confluence RCE weaknesses in container images and misconfigured, exposed PostgreSQL containers to install cryptominers on vulnerable endpoints.
Microsoft’s Defender for Cloud team said hackers were going through these apps in search of exploitable flaws:
- PHPUnit
- Liferay
- Oracle WebLogic
- WordPress
As for the flaws themselves, they were looking to leverage CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 – RCE flaws in Oracle’s solutions.
“Recently, we identified a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers,” Microsoft claims. “Attacks start with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001).”
Updating the images
To stay safe, IT managers are advised to update their images to the latest versions and only source the images from official repositories.
Threat actors love deploying cryptocurrency miners on servers. These remote endpoints are usually computationally powerful, allowing hackers to “mine” large quantities of cryptocurrency without needing the necessary hardware. What’s more, they also eliminate the high electricity costs usually associated with mining cryptos.
The victims, on the other hand, have plenty to lose. Not only will their servers be rendered useless (as crypto mining is quite compute-heavy), but will also generate high electricity bills. Usually, the amount of cryptos mined and electricity spent is disproportionate, making the entire ordeal that much more painful.
For Microsoft’s Defender for Cloud team, the two techniques discovered are “commonly seen” in real-world attacks on Kubernetes clusters.
“Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources. In addition, attackers can gain access to the cluster by taking advantage of known vulnerabilities in images,” the team said.
“It’s important for security teams to be aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached. As we have seen in this blog, regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure.”
Via: BleepingComputer (opens in new tab)
