Misconfigured PostgreSQL Used to Target Kubernetes ClustersKinsing Malware Targeting Kubernetes Environment, Oracle Flaw
Researchers have found that Kinsing malware gained access to Kubernetes servers by exploiting misconfigured and exposed PostgreSQL servers. The threat actors gained access by exploiting weakly configured PostgreSQL containers and vulnerable container images.
Researchers at Microsoft Defender for Cloud observed a growing number of PostgreSQL containers infected with the Kinsing malware. It uses unique techniques targeting containerized environments, said Sunders Bruskin, a security researcher for Microsoft Defender for Cloud, in a report published last week.
A Golang-based malware, Kinsing has been observed to target Linux environments.
"The fact that this is a new image that is targeted by the malware means some new methods of infection were added to it. Cryptominers' main target is to use the customer's resources. If there are servers that can be infected, the malware will try to target them and execute the malware," Bruskin tells Information Security Media Group.
The misconfigurations use the "trust authentication" setting, which when specified, allows access to all servers, assuming them to be authorized connections.
Bruskin says allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat.
"Even if the unsecured trust authentication method isn't used and other methods are used instead, it can open attackers to several options such as brute force on the PostgreSQL accounts, attacking the container availability with DoS and DDoS attacks, and trying to exploit the container and the DB itself," Bruskin adds.
Exploiting Container Images
Infected images also were found to be vulnerable to remote code execution, ultimately allowing attackers with network access to exploit the container and run their malicious payload.
A few vulnerable versions of the applications - such as PHPUnit, Liferay, WebLogic and WordPress - were exploited by the attackers.
Bruskin says they focused on Oracle WebLogic exploitation, as they observed "a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers."
The WebLogic flaw can be exploited over a network without the need for a username and password. A threat actor would only have to send a malicious HTTP request to the WebLogic Server's management console to initiate the attack, according to a previous update by Oracle.
"Attacks start with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001). If vulnerable, attackers can use one of the exploits to run their malicious payload," Bruskin says.
Oracle and the U.S. Cybersecurity and Infrastructure Security Agency have issued alerts about the importance of applying the patch, which has been available since October 2020 (see: CISA and Oracle Warn Over WebLogic Server Vulnerability).
"We recommend minimizing the exposure of containers to the internet. Be aware of the configuration, and use patched images and known repositories," Bruskin says.