Kinsing, a malware that typically targets Linux environments for cryptocurrency purposes, has found a new target. The malware is exploiting vulnerabilities in container images and weakly configured PostgreSQL containers to target Kubernetes clusters.
Sunders Bruskin, Microsoft Defender for Cloud security researcher, explains in a blog post that Kinsing malware is actively infiltrating Kubernetes clusters using two different initial access vector techniques: exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images.
Microsoft found that several images, frequently infected with Kinsing malware, were vulnerable to remote code execution allowing attackers with network access to exploit the container and run their malicious payload. A few examples of applications with vulnerable versions are: PHPUnit, Liferay, WebLogic and WordPress.
Microsoft also recently observed a significant amount of clusters that were infected with Kinsing and ran a PostgreSQL container. Attackers can use several common misconfigurations to get access to a Postgres server if exposed: The first misconfiguration is using ‘trust authentication’ setting.
Bruskin suggests regularly updating images and secure configurations to mitigate the risk before they are breached.