Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign

A campaign that targets misconfigured Docker Daemon API ports through Kinsing malware was reported by security researchers from Aqua Security. The campaign exploited the ports to run an Ubuntu container.

According to the researchers, Kinsing malware’s strings revealed that it is a Golang-based Linux agent. The researchers ran the malware to examine its behavior and found that before deploying its payload, the malware initiated communication with the following IP addresses:

The downloaded spre.sh shell script was used for lateral movement across the container network in a bid to spread the malware. The shell script passively gathered data from /.ssh/config, .bash_history, /.ssh/known_hosts, and other similar locations. It then attempted to establish connection to each host by entering user and key combinations through SSH. If the connection was successful, the aforementioned shell script was downloaded in this location and it ran the malware on other hosts or containers in the network. After the spre.sh attack, the malware ran the kdevtmpfsi cryptominer.

[Related: Container Security: Examining Potential Threats to the Container Environment]

For evasion and persistence, the malware utilized the shell script d.sh that did the following:

• Disabled security measures and cleared log
• Downloaded and ran the shell script every minute using crontab
• Halted and deleted files related to numerous applications like other malware and cryptominers
• Installed and ran the Kinsing malware
• Killed other malicious Docker containers and deleted their image
• Looked for other commands running and cron; if found, it deletes all cron jobs including its own.

Incessant and ever-increasing organizational requirements have led more enterprises to leverage containers that can keep up with the scale of the demand. As more companies utilize containers, more cybercriminals are also finding these as an attractive and possibly lucrative target. According to the findings of Trend Micro researchers, misconfigured containers have long been on the receiving end of cryptocurrency miners and botnet attacks, and may allow cybercriminals to gain a backdoor into an organization’s system. To protect containers against such threats, enterprises are advised to perform the following:

• Secure the container host. Host containers in a container-focused OS to reduce the overall attack surface, and use tools to monitor the host’s health.
• Secure the networking environment. Filter and monitor internal and external traffic by taking advantage of controls like an intrusion prevention system (IPS) and web filtering.
• Secure the management stack. The container registry should be secured and monitored, and the Kubernetes installation locked down.
• Secure the build pipeline. Install strong endpoint controls and implement an access control scheme.
• Implement the recommended best practices.

Trend Micro Hybrid Cloud Security is an automated, all-in-one solution for cloud security. Trend Micro Cloud One™ protects workloads (virtual, physical, cloud, and containers) and scans container images. Trend Micro Cloud One™ - Container Security secures cloud-native applications with automated container image and registry scanning. For security as software: Trend Micro Deep Security™ Software (workload and container security) and Trend Micro Deep Security Smart Check (container image security) scan container images for malware and vulnerabilities.