Malware campaign targets Kubernetes clusters

>

Microsoft’s cybersecurity researchers have revealed that it has noticed an increase in the deployment of the Kinsing malware (opens in new tab) on Linux servers.

According to the company’s report (opens in new tab)attackers are exploiting Log4Shell and Atlassian Confluence RCE weaknesses in container images and misconfigured, exposed PostgreSQL containers to install cryptominers on vulnerable endpoints.

Microsoft’s Defender for Cloud team said hackers searched these apps for exploitable flaws:

  • PHPUnit
  • life ray
  • Oracle WebLogic
  • WordPress

As for the errors themselves, they were looking for CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 – RCE errors in Oracle’s fixes.

“Recently, we identified a widespread campaign by Kinsing targeting vulnerable versions of WebLogic servers,” Microsoft claims. “Attacks begin by scanning a wide range of IP addresses, looking for an open port that matches WebLogic’s default port (7001).”

Update the images

To stay safe, IT managers are advised to update their images to the latest versions and only get the images from official repositories.

Threat actors like to deploy cryptocurrency miners on servers. These remote endpoints are usually computationally powerful, allowing hackers to “mine” large amounts of cryptocurrency without needing the necessary hardware. Moreover, they also eliminate the high electricity costs usually associated with mining cryptos.

The victims, on the other hand, have a lot to lose. Not only will their servers become unusable (since crypto mining is quite computationally intensive), but they will also generate high electricity bills. Usually, the amount of cryptos mined and electricity consumed is disproportionate, making the whole ordeal that much more painful.

For Microsoft’s Defender for Cloud team, the two discovered techniques are “common” in real-world attacks against Kubernetes clusters.

“If the cluster is exposed to the internet without proper security measures, it could be exposed to attacks from outside sources. In addition, attackers can gain access to the cluster by exploiting known image vulnerabilities,” the team said.

“It is important that security teams are aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached. As we’ve seen in this blog, regularly updating images and secure configurations can be a game changer for a company as it tries to best protect against security breaches and risk exposure.”

Through: Beeping computer (opens in new tab)

Related Post