Operators of the Kinsing cryptojacking malware are now compromising Kubernetes clusters by using vulnerabilities in container images and misconfigured PostgreSQL servers to gain initial access to Kubernetes environments.
Microsoft's Defender for Cloud team said that they have recently observed a large amount of clusters that were infected with Kinsing and ran a PostgreSQL container. The misconfiguration relates to ‘trust authentication’ setting, which could be leveraged by a threat actor to connect to the Postgres servers without authentication and achieve remote code execution. Microsoft also warns that some network configurations in Kubernetes are susceptible to ARP poisoning, allowing attackers to impersonate applications in the cluster.
“Therefore, even specifying a private IP address in the “trust” configuration may pose a security risk,” the team notes. “In general, allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat.”
Microsoft said it has also observed an uptick in the Kinsing attacks targeting servers running vulnerable versions of PHPUnit, Liferay, Oracle WebLogic, and WordPress applications. In case of WebLogic the threat actors have been seen exploiting a slew of vulnerabilities, namely, CVE-2020-14882, CVE-2020-14883, and CVE-2020-14750 to achieve remote code execution.
“Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources. In addition, attackers can gain access to the cluster by taking advantage of known vulnerabilities in images,” Microsoft said. ”It’s important for security teams to be aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached.”
