Last Thursday Microsoft reported that the Kinsing malware, a Linux-based malware that deploys a crypto miner, is now targeting Kubernetes clusters via vulnerable PostgreSQL containers. Specifically, the malware is exploiting weak configurations that assume that anyone that can connect to the server is authorized to access the database with any user name without authentication, i.e. ‘trust authentication.’ Additionally, the malware is exploiting other vulnerable images, such as PHPUnit, Liferay, WebLogic, and WordPress.
Analyst Notes
Companies can mitigate attacks like this by using the latest versions of container images to ensure the images are adequately patched. Some of the vulnerabilities being exploited are over two years old, with the associated patches released for nearly as long. Moreover, engineers and administrators can check vendor guides for recommended security settings to harden deployments. Administrators can restrict public access to containers to the bare minimum appropriate to an organization’s risk management framework. In addition, organizations should monitor the resource utilization of containers to look for abnormal usage, which may be an indicator of a cryptominer running on the container.
https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975
