Threat Watch

Kinsing Malware Attacking Vulnerable PostgreSQL Kubernetes Containers

Last Thursday Microsoft reported that the Kinsing malware, a Linux-based malware that deploys a crypto miner, is now targeting Kubernetes clusters via vulnerable PostgreSQL containers. Specifically, the malware is exploiting weak configurations that assume that anyone that can connect to the server is authorized to access the database with any user name without authentication, i.e. ‘trust authentication.’ Additionally, the malware is exploiting other vulnerable images, such as PHPUnit, Liferay, WebLogic, and WordPress.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Companies can mitigate attacks like this by using the latest versions of container images to ensure the images are adequately patched. Some of the vulnerabilities being exploited are over two years old, with the associated patches released for nearly as long. Moreover, engineers and administrators can check vendor guides for recommended security settings to harden deployments. Administrators can restrict public access to containers to the bare minimum appropriate to an organization’s risk management framework. In addition, organizations should monitor the resource utilization of containers to look for abnormal usage, which may be an indicator of a cryptominer running on the container.

https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/

https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support