Malware campaign targets Kubernetes clusters

A white padlock on a dark digital background.
(Image credit:

Microsoft’s cybersecurity researchers have revealed it spotted an uptick in the deployment of the Kinsing malware on Linux servers. 

As per the company’s report, the attackers are leveraging Log4Shell and Atlassian Confluence RCE weaknesses in container images and misconfigured, exposed PostgreSQL containers to install cryptominers on vulnerable endpoints.

Microsoft’s Defender for Cloud team said hackers were going through these apps in search of exploitable flaws:

  • PHPUnit
  • Liferay
  • Oracle WebLogic
  • WordPress

As for the flaws themselves, they were looking to leverage CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 - RCE flaws in Oracle’s solutions.

“Recently, we identified a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers,” Microsoft claims. “Attacks start with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001).”

Updating the images

To stay safe, IT managers are advised to update their images to the latest versions and only source the images from official repositories. 

Threat actors love deploying cryptocurrency miners on servers. These remote endpoints are usually computationally powerful, allowing hackers to “mine” large quantities of cryptocurrency without needing the necessary hardware. What’s more, they also eliminate the high electricity costs usually associated with mining cryptos. 

The victims, on the other hand, have plenty to lose. Not only will their servers be rendered useless (as crypto mining is quite compute-heavy), but will also generate high electricity bills. Usually, the amount of cryptos mined and electricity spent is disproportionate, making the entire ordeal that much more painful.

For Microsoft’s Defender for Cloud team, the two techniques discovered are “commonly seen” in real-world attacks on Kubernetes clusters.

“Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources. In addition, attackers can gain access to the cluster by taking advantage of known vulnerabilities in images,” the team said.

“It’s important for security teams to be aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached. As we have seen in this blog, regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure.”

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.